IlluminateRisk Trust Center
Compliance · v2026.05

Trust Center / Compliance

Compliance status

An honest, dated read of where IlluminateRisk stands on the certifications and frameworks that customer security reviewers ask about. We update this page when the status changes — not when we hope it will.

SOC 2 Type I
In progress
GDPR-aligned controls
In place
HIPAA
Out of scope

SOC 2 Type I

IlluminateRisk is preparing for a SOC 2 Type I attestation report covering the Security trust services criterion. We've designed our controls against the AICPA Trust Services Criteria from the start; the audit work formalizes evidence collection and gets us to a report a customer's security team can read instead of taking our word for it.

Target window: initial readiness assessment Q3 2026; observation period and Type I report Q4 2026. We'll publish the report summary here when issued; the full report ships under NDA on request.

What's already in place against SOC 2

Control areaStatus
CC6.1 — Logical access (auth + RBAC + tenant scoping) In place
CC6.6 — TLS for all customer traffic; HSTS preload In place
CC6.8 — Malware scanning of every upload (ClamAV, fail-closed) In place
CC7.1 — Vulnerability identification (NuGet advisories, host patching) In place
CC7.2 — Document QC + acknowledgement event before findings can be produced In place
CC7.3 — Audit log of privileged actions (immutable, structured) In place
CC9.2 — Subprocessor management and change notice In place

What's still being formalized

Control areaStatus
CC1.x — Documented governance + organization-chart evidence In progress
CC2.x — Risk-assessment process and recurrence In progress
CC6.2 — Personnel-access provisioning + offboarding evidence In progress
CC7.4/CC7.5 — Incident-response runbook + tabletop exercises In progress
Centralized log aggregation / SIEM Planned
Customer-facing status page (/status) Skeleton live

GDPR & CCPA

Our data-handling practices are designed to support customers who have obligations under the GDPR, the UK GDPR, and the California Consumer Privacy Act. Specifically:

Out of scope (today)

We don't claim certifications we don't hold. The following are not in scope and we won't pretend otherwise:

Frameworks we reference (without claiming certification)

Customer security reviews

During private beta, we respond to security reviews from prospective and active customers on a one-off basis. We do not yet maintain a CAIQ or SIG response. Submit review questions to support@illuminaterisk.ai with your timeline; we typically turn standard questionnaires around within ten (10) business days.

Contact

Compliance and assurance questions: support@illuminaterisk.ai. Legal / DPA: support@illuminaterisk.ai.