Skip to content

Security controls built to SOC 2 Type II standards

AES-256-GCM field-level encryption, MFA and role-based access control, append-only audit logging, and automated backup and restore drills are live in production today. Our independent SOC 2 Type II report is scheduled for Q4 2026.

Trust service criteria. Security (CC) · Availability (A) · Confidentiality (C) · Processing integrity (PI) · Privacy (P).

Programme status

PhaseWindowStatus
Readiness assessmentQ1 2026Complete
Control implementationQ2 2026Complete
Observation period (6 months)Q2 to Q4 2026Active
Type II report issuanceQ4 2026Scheduled

Control evidence

  • Access control. RBAC, MFA, session revocation, quarterly access reviews
  • Encryption. TLS in transit; AES-256-GCM field-level encryption at rest for vault, life-care/medical, biography, financial, asset, beneficiary, digital-account, medication, and medical-contact records; optional client-side zero-knowledge encryption
  • Monitoring & availability. /api/health, /status, automated backups, restore drills
  • Audit & integrity. Append-only audit logs, Zod validation on all API inputs
  • Privacy & subprocessors. Export/delete flows, DPAs, published subprocessor list

Full mapping: docs/SOC2_CONTROLS.md · programme charter: docs/SOC2_TYPE_II_PROGRAMME.md

Enterprise & family office requests

Family offices and enterprise clients may request our full control mapping now, and the SOC 2 Type II report summary under NDA once issued.

Email security@helauloom.com with your organisation name and NDA contact. We respond within two business days with the readiness attestation letter or report summary when available.

Back to security