EN
EN FR DE
Home | Blog | CybelAngel Achieves SOC 2 Type I Certification for 2026

CybelAngel Achieves SOC 2 Type I Certification for 2026

Written by: CybelAngel IT Department

3 min readMarch 31, 2026
CybelAngel Renews SOC 2, Type 1 Compliance

Every enterprise we work with has the same question when they onboard: can we trust you with our data?

SOC 2 Type I is our answer: independently verified by A-LIGN Assurance and signed off as of January 31, 2026. Here’s what that actually means, what auditors examined, and why it matters for your security program.

What auditors actually checked

SOC 2 Type I isn’t a questionnaire or a self-assessment. A-LIGN conducted a formal examination under AICPA AT-C 105 and AT-C 205 attestation standards, evaluating whether our controls were suitably designed as of the audit date across two trust services categories: Security and Confidentiality.

The audit covered nine control domains:

  • Control Environment (CC1) — how CybelAngel communicates values, holds personnel accountable, and structures management oversight
  • Information & Communication (CC2) — how security policies reach the people responsible for them
  • Risk Assessment (CC3) — how we identify, rate, and address operational, strategic, and compliance risks
  • Monitoring (CC4) — how we detect control failures and escalate them
  • Control Activities (CC5) — the specific preventive, detective, and corrective controls we run
  • Logical & Physical Access (CC6) — who can access what, and how that access is granted, reviewed, and revoked
  • System Operations (CC7) — how we detect anomalies, respond to incidents, and recover from security events
  • Change Management (CC8) — how we test and approve changes before they reach production
  • Risk Mitigation (CC9) — how we manage vendor and business partner risks

A-LIGN used four testing methods: inquiry, observation, inspection of source documents and system configurations, and re-performance of controls.

What the report covers (and what it doesn’t)

The scope covers CybelAngel’s External Threat Intelligence Platform Services System, operated from our Paris, France facility.

Our cloud infrastructure runs on Google Cloud Platform. GCP’s physical security controls include badge readers, biometric access, perimeter barriers, and continuous video surveillance. These fall under their own compliance obligations and are excluded from this report’s scope. We require GCP to hold ISO 27001, SOC 1 Type 2, or SOC 2 Type 2 certifications, and we review their attestation reports as part of our vendor risk program.

The controls that protect your data

A few specifics worth calling out from the report:

  • Access is role-based and reviewed monthly. Every employee authenticates via Google Workspace with token-based two-factor authentication. Access is provisioned automatically one week before a start date based on job role, and revoked automatically when an employee leaves. Our IT team audits logical access every 30 days.
  • Data is encrypted at rest and in transit. We use AES encryption for stored data and TLS for all connections, including customer access to the SaaS platform. Backup data is replicated daily to a separate availability zone and stored in encrypted format.
  • Vulnerability scanning runs daily. Penetration testing by an independent third-party vendor runs annually. Both feed into a risk remediation process where high-severity findings are addressed immediately.
  • Production is isolated from development. Code changes require peer review before a pull request merges into production. All changes are tracked in version control with full rollback capability.
  • Incidents are classified, tracked, and reviewed. Our incident response procedures define severity classifications, assign ownership, and require a root cause analysis for critical incidents. Management reviews an annual incident summary to identify patterns that warrant new controls.
  • Confidential data has a defined lifecycle. We maintain an asset inventory for data classified as confidential. When data reaches the end of its retention period, it is destroyed and rendered unreadable.

What this means for your security program

If your organization evaluates vendors through a formal risk management process, this report gives you something concrete to work with. It covers the controls your procurement or security team typically asks about: access management, encryption, incident response, change control, and data disposal.

For regulated industries like financial services, healthcare, and government, a current SOC 2 report is often a procurement prerequisite. We can provide a copy to your auditors or security team on request.

A note on Type I vs. Type II

SOC 2 comes in two forms. Type I, which this report represents, assesses whether controls are suitably designed at a point in time. Type II assesses whether those controls operated effectively over a defined period, typically six to twelve months.

We complete Type I audits annually to validate our control design as the platform evolves. We treat this as part of our security program, not a checkbox.

Request the full report

Security professionals and procurement teams can request a full copy of CybelAngel’s 2026 SOC 2 Type I report.

CybelAngel analyzes more than 6 million data points daily to identify exposed corporate assets across the visible web, deep web, dark web, and connected storage devices. Our platform combines machine learning with analyst expertise to find leaks before they become breaches.

Contact Us

About the author

CybelAngel IT Department

The IT and Security team manage and maintain the highest levels of information security management at CybelAngel.

read all the articles