Enterprise-Grade Security: SOC 2 and Beyond
Our commitment to security and compliance — SOC 2 Type II, annual penetration testing, and customer-managed encryption keys.
Security isn't a feature — it's the foundation. Today we're announcing that Poly has achieved SOC 2 Type II certification, completing a multi-month audit of our security controls, infrastructure, and operational practices.
What SOC 2 Type II means
Unlike Type I (a point-in-time assessment), Type II certification covers a sustained period of operation — in our case, six months. Auditors examined our:
- Access controls and identity management
- Data encryption at rest and in transit
- Incident response and monitoring procedures
- Vendor risk management
- Change management and system availability
The report is available to enterprise customers under NDA. Contact your account manager to request access.
Your data, your control
This certification validates what we've believed from day one: enterprises should be able to adopt AI without compromising on security.
- Encryption — AES-256 at rest, TLS 1.3 in transit
- Key management — customer-managed encryption keys (CMEK) available on Enterprise plans
- Data residency — choose US, EU, or APAC storage regions
- Retention policies — configurable per workspace, down to the day
- RBAC — role-based access control at the workspace and project level
What's next
Beyond SOC 2, we've implemented:
- Annual penetration testing by independent security firms
- A public vulnerability disclosure program at
security@poly.inc - A security center with whitepapers, audit reports, and real-time status monitoring at
status.poly.inc
For organizations with the most stringent requirements, we offer private deployment — run Poly on your own VPC or on-premise infrastructure. Same product, same features, your infrastructure. Contact our enterprise team to learn more.
More from Poly