Audit, complete

We completed our SOC 2 Type II audit covering the full twelve-month period. The report is available under NDA to current and prospective customers — reach out to your account contact and we'll get it to you.

What we audited

The audit covered our security, availability, and confidentiality trust criteria. The scope is the full Argus platform: customer-facing application, scanning infrastructure, data storage, internal access systems, and the operational practices around incident response, change management, and vendor risk. We included our subprocessors in the report so customers don't need to assemble that picture themselves.

The auditor was a Big Four firm we've worked with before. We chose continuity over starting fresh because the value of an audit compounds — they know what to look for in our environment, and we know what evidence formats they'll accept.

Why Type II matters

Type II matters more than Type I because it covers operational consistency over time, not a point-in-time snapshot. Anyone can pass a Type I audit by tightening up the week before. Type II requires the controls to actually run, every day, for twelve months, with evidence trails the auditor can sample.

For a security platform specifically, that's the right bar. Customers are betting that the controls we describe in our security documentation are the ones we actually run, and Type II is the closest thing to independent verification that those two are the same thing.

What's next

We're actively working toward ISO 27001 and expect to complete certification later this year. Beyond that, customers in regulated industries — financial services especially — have been asking about specific framework alignments like PCI DSS and HIPAA-relevant attestations. We're prioritizing those based on customer demand and will share more as scope is finalized.