SOC 2 Type II since 2022

Security and compliance evidence, on request, without the procurement gauntlet.

DuoCircle invests real time and money in keeping a SOC 2 Type II in good standing year after year, an annual CSA STAR self-assessment for the products that need it, and a current HECVAT for higher education. Your organization may need more, less, or different evidence than that. Whatever you need, here is where to get it.

Request documents Read security overview

Bonterms Mutual NDA, published before you ask Same-day turnaround in most cases Annual penetration testing, summary available

SOC 2 Type II: Since 2022; Annual examination, all four trust criteria
CSA STAR: 6 services; Level 1 self-assessment, public registry
Customers since: 2014; Over 50,000 organizations to date
From request to report: One signature; No redlines, no procurement maze

Why this page exists

We do the work, so your team does not have to repeat it.

Maintaining a SOC 2 Type II in good standing is not a checkbox. It is an annual examination by an independent CPA firm, a control environment our security team runs every day of the year, and a set of policies we keep current and tested. We invest in it because we believe security work should be visible, audited, and reusable, not reinvented for every new vendor questionnaire.

Your organization may need more than that, or less, or something different. Higher education sees HECVAT. Public sector sees CJIS or StateRAMP. Healthcare sees HIPAA. Financial services sees PCI or NYDFS 500. Most of these standards overlap with the SOC 2 control set we already operate. We can usually map our existing evidence to whatever framework you have to file against, instead of asking your team to start from a blank questionnaire.

On this page you will find what we publish openly, what we share under a standardized NDA you can read in advance, and how to ask for the rest.

Public, no NDA

Start here. No signature required.

The fastest way through early-stage diligence is the evidence we publish openly. Most procurement teams find what they need below before they ever email us.

CSA STAR Registry

Level 1 self-assessment (CAIQ Lite, subset of CCM v4.1) for six services in the Cloud Security Alliance public registry. Renewed annually. Read it before you reach out.

See per-product STAR entries

Subprocessor list

Every third-party vendor that processes personal data on our behalf, mandatory and optional, with role and headquarters. Customers receive thirty days notice before any change.

View subprocessors

Bonterms Mutual NDA

We use the standardized Bonterms Mutual NDA, published openly so your legal team can review it before any conversation begins. Read once, sign anywhere.

Review the NDA

Security overview

Encryption, access control, monitoring, vendor management, and incident response, written for humans rather than auditors. The plain-English version of our security posture.

Read security overview

Policy catalog

The titles, owners, and review cadence of every policy in our information security program. Catalog public, contents under NDA. Use it to scope your questionnaire.

See the catalog

Responsible disclosure

How to report a security issue, our acknowledgment commitment, scope, and the safe harbor we extend to good-faith research that follows responsible disclosure norms.

Reporting policy

Open-source notices

Third-party open-source components in our installable email-security products for HCL Notes and Domino. Verbatim mirror of the THIRD-PARTY-NOTICES.txt shipped in the installer.

View notices

Under NDA

When you need the auditor's letterhead, sign once and we will send it.

The Bonterms Mutual NDA is a standardized two-way agreement we publish in advance. Most exchanges complete the same business day. No redlines, no procurement maze, no surprise terms.

Document	What it is	Cadence
SOC 2 Type II report	Independent CPA examination, all four Trust Services Criteria. Hancock Askew & Co, LLP.	Annual, since 2022
HECVAT Full	Higher Education Community Vendor Assessment Toolkit, current version. For colleges and universities.	Reviewed annually
Penetration test summary	Executive summary from our annual third-party pen test, methodology, scope, and remediation status.	Annual
Information security policy pack	Our written policies covering access control, change management, incident response, vendor management, and more.	Reviewed annually
Custom questionnaire response	If your standard form is not on this list, send it. We map answers from existing evidence where possible.	On request

Request documents See compliance program

How it works

Three steps. One signature. Same business day.

Read the NDA before you ask

We publish the Bonterms Mutual NDA at duocircle.com/legal/mutual-nda. Your legal team can review it on their own time.

Submit the request form

Tell us who you are, the legal entity name, the authorized signer, and which documents you need. The form takes a minute.

Sign and receive

We countersign the NDA and send the documents you asked for. Same business day in most cases, no procurement gauntlet.

If your organization requires its own NDA form, send it. We accept reasonable customer paper without comment in the great majority of cases.

Per-product compliance pages

Each product has its own compliance page.

Many enterprise procurement teams need product-specific evidence rather than corporate-level evidence. Each product publishes its own compliance page with the CSA STAR registry entry, supported standards, and the data residency picture for that service.

Ready to move the procurement step into the past?

Tell us what you need. We will turn it around the same business day in most cases.

Request documents Email support@duocircle.com