SOC 2 Type II Compliant
Conovio undergoes annual SOC 2 Type II audits across the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available under NDA.
SOC 2 Type IIPrivacy and confidentiality
Privacy and confidentiality
built into every layer.
Conovio is trusted with sensitive candidate intelligence by executive search firms, in-house talent teams, and private equity operators. Our SOC 2 Type II program is the foundation of that trust.
SOC 2 Type IIGDPR-alignedCCPAEnterprise SSO
Encryption everywhere
All candidate data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sensitive credentials and API keys are stored in an isolated, encrypted secrets vault.
Per-tenant isolation
Every firm operates inside an isolated workspace with row-level security enforced at the database layer. Your candidate data is never blended with another customer's.
SSO & role-based access
SAML 2.0 and OIDC SSO, granular owner / partner / associate roles, and least-privilege access. Session policies and MFA enforced for admin tier.
Audit-ready logs
Every dossier generated, exported, shared, or viewed is recorded in an immutable audit trail — exportable for your security and compliance teams.
Privacy by design
GDPR and CCPA aligned. Data minimization, configurable retention, DSR tooling, and a documented sub-processor list. Candidate data is never used to train third-party AI models.
Certification detailContact security
SOC 2 Type II — the standard enterprises require.
SOC 2 Type II is the most critical third-party security certification for selling software into mid-market and enterprise organizations. Unlike a Type I attestation — which captures controls at a single point in time — a Type II report verifies that Conovio's security, availability, and confidentiality controls operate effectively over an extended audit window (typically 6–12 months).
Our independent auditor evaluates controls against the AICPA Trust Services Criteria, including access management, change management, system monitoring, incident response, vendor management, and data confidentiality. The resulting report is what enterprise security, procurement, and legal teams ask for during vendor review.
What's in scope
- The Conovio platform, APIs, and Conovio Context™ generation pipeline
- Production infrastructure, databases, and secrets management
- Engineering access, change management, and SDLC controls
- Sub-processor management and data handling procedures
How to request the report
Customers and active prospects can request the latest SOC 2 Type II report, our penetration test summary, and our sub-processor list by emailing security@conovio.com. Reports are shared under a mutual NDA.
Security questions?
Our security team responds within one business day.
See also our Privacy Policy and Terms of Service.