Security and compliance,
built into the platform.
Salt os is independently audited and certified to operate in the most
regulated environments in the world: life sciences, financial services, energy and government. Your data never leaves your environment.
AUDITED BY SENSIBA LLP
AICPA SOC
COMPLIANT ARCHITECTURE
PRIVATE VPC / ON-PREM
Audited by Sensiba LLP · Examination Sep 5 – Dec 5, 2025 · Report date Feb 9, 2026
SOC 2 Certification
SOC 2 Type I and Type II.
Both reports are built on the same AICPA Trust Services Criteria. They answer different
questions and signal different levels of maturity. Salt os holds both.
TYPE I — FOUNDATION
Controls suitably designed
A point-in-time examination verifying that security controls exist and are properly designed as of a specific date. The auditor confirms architecture and policies are in place.
Scope: Design & implementation
Timeframe: Single point in time
Status: Achieved ✓
TYPE II — GOLD STANDARD
CURRENT
Controls operating effectively
An examination over a sustained observation period verifying that controls were not only designed correctly, but operated consistently and effectively throughout. Required by enterprise procurement and regulated industry buyers.
Scope: Design + operational effectiveness
Examination period: Sep 5 – Dec 5, 2025
Auditor: Sensiba LLP — Report Feb 9, 2026
Type I establishes the foundation. Type II proves the system runs reliably over time. Enterprise buyers and regulated industry customers require Type II.
Salt os holds both.
Shared Responsibility Model
Your data never leaves your environment.
Salt os deploys entirely within your environment. Responsibilities are divided between Salt OS, your cloud infrastructure provider, and your organization.
Zero public data egress
Salt os deploys within customer-controlled VPC or on-premises environments. No model inputs, outputs, or intermediate data are transmitted to Salt OS systems. Your proprietary data (clinical, financial, or otherwise) stays in your environment. Always.
SALT OS CONTROLS
Platform & Orchestration
Platform software security
Workflow runtime & orchestration
Access control architecture
Audit log generation
SDLC & change management
Vulnerability management
CLOUD INFRA (GCP / AWS)
Infrastructure
Physical data center security
Network infrastructure
Hardware lifecycle management
Hypervisor isolation
Physical access controls
CUSTOMER (USER ENTITY)
Your Environment
VPC / on-prem configuration
User provisioning policies
Data classification
Complementary user controls
Access policy enforcement
Control Environment
Six examined control domains, all found effective.
Our SOC 2 Type II report tests controls across all Trust Services Criteria for Security. Every area below was independently examined by Sensiba LLP and found to operate effectively throughout the examination period.
Logical access & identity
Role-based access control, MFA enforced on all sensitive systems, provisioning and deprovisioning timelines, and annual access reviews.
RBAC
MFA
Annual Reviews
Encryption & data protection
Encryption at rest and TLS in transit, endpoint hard-disk encryption, and antivirus protection across all managed systems.
Encryption at rest
TLS in transit
Endpoint HDE
Security monitoring & vuln mgmt
Continuous vulnerability scanning, risk-based
remediation SLAs, infrastructure logging and
alerting, and SAST on every code merge.
Continuous scanning
SAST on merge
Logging & alerts
Incident response & recovery
Documented IR plan with defined escalation
paths, disaster recovery and business continuity procedures, and automated daily backups.
IR plan
Daily backups
BCP
Change management / SDLC
Documented SDLC with approval gates, testing requirements, version control, and fully
separated dev / test / production environments.
Separated envs
Approval gates
Version control
Subservice org oversight
Annual attestation review and risk analysis conducted for all cloud infrastructure providers, including GCP, Azure and AWS.
GCP
AWS
Annual review
Compliance Documentation
Available artifacts for your security review.
Contact your Salt os account representative to request any of the following compliance artifacts for your procurement or security review process.
Sensiba LLP Independent Examination
SOC 2 Type II report covers Trust Services Criteria: Security · Examination period Sep 5 – Dec 5, 2025 · Report issued Feb 9, 2026
SOC 2 TYPE II
Security audit report
Full examination report from Sensiba LLP. Restricted use; available to qualified prospects under NDA.
Under NDA
SOC 3
General-use report
Freely distributable summary report suitable for customers, partners, and investors.
Freely available
SENSIBA LLP
Attestation letter
Confirmation letter from our independent auditor verifying current SOC 2 Type II status.
On request
HIPAA
Business associate
agreement
BAA available for covered entities
and business associates under
HIPAA requirements.
Enterprise
Request compliance documentation.
Need the full SOC 2 Type II report, SOC 3 general use report, or attestation letter from Sensiba LLP? Reach out to your account representative.