Security controls built to SOC 2 Type II standards
AES-256-GCM field-level encryption, MFA and role-based access control, append-only audit logging, and automated backup and restore drills are live in production today. Our independent SOC 2 Type II report is scheduled for Q4 2026.
Trust service criteria. Security (CC) · Availability (A) · Confidentiality (C) · Processing integrity (PI) · Privacy (P).
Programme status
| Phase | Window | Status |
|---|---|---|
| Readiness assessment | Q1 2026 | Complete |
| Control implementation | Q2 2026 | Complete |
| Observation period (6 months) | Q2 to Q4 2026 | Active |
| Type II report issuance | Q4 2026 | Scheduled |
Control evidence
- Access control. RBAC, MFA, session revocation, quarterly access reviews
- Encryption. TLS in transit; AES-256-GCM field-level encryption at rest for vault, life-care/medical, biography, financial, asset, beneficiary, digital-account, medication, and medical-contact records; optional client-side zero-knowledge encryption
- Monitoring & availability. /api/health, /status, automated backups, restore drills
- Audit & integrity. Append-only audit logs, Zod validation on all API inputs
- Privacy & subprocessors. Export/delete flows, DPAs, published subprocessor list
Full mapping: docs/SOC2_CONTROLS.md · programme charter: docs/SOC2_TYPE_II_PROGRAMME.md
Enterprise & family office requests
Family offices and enterprise clients may request our full control mapping now, and the SOC 2 Type II report summary under NDA once issued.
Email security@helauloom.com with your organisation name and NDA contact. We respond within two business days with the readiness attestation letter or report summary when available.