VM HunterVM Hunter
Back to Blog
Security

Enterprise Security: Our Journey to SOC 2 Type II Compliance

An inside look at how we built VM Hunter with security-first principles and achieved SOC 2 Type II certification.

David Kim

VP of Security

February 3, 2026
7 min read

Last month, VM Hunter completed our SOC 2 Type II audit with zero findings. This certification represents months of work and validates our commitment to protecting customer data. Here's an inside look at our security journey.

Why SOC 2 Matters

SOC 2 (Service Organization Control 2) is the gold standard for SaaS security compliance. It evaluates five trust principles:

  1. . **Security**: Protection against unauthorized access
  2. . **Availability**: System uptime and reliability
  3. . **Processing Integrity**: Accurate and complete data processing
  4. . **Confidentiality**: Protection of confidential information
  5. . **Privacy**: Personal information handling

For call centers handling sensitive customer conversations, working with SOC 2 compliant vendors isn't optional—it's a requirement.

Building Security from Day One

When we founded VM Hunter, we made a deliberate choice: build security in from the start, not bolt it on later.

Infrastructure Decisions

  • **Cloud provider**: We chose AWS for its comprehensive security certifications
  • **Data residency**: All data stays within the customer's chosen region
  • **Encryption**: AES-256 at rest, TLS 1.3 in transit
  • **Isolation**: Each customer's data is logically isolated

Architecture Patterns

We adopted several security-focused architecture patterns:

Zero Trust Networking: Every service-to-service call requires authentication, even within our VPC. We use mutual TLS and short-lived credentials.

Least Privilege Access: Services only have permissions for exactly what they need. Our ML inference service can read audio streams but cannot access customer account data.

Defense in Depth: Multiple layers of security controls ensure that a single failure doesn't compromise the system.

The Audit Process

SOC 2 Type II audits examine controls over a period of time (typically 6-12 months), unlike Type I which is a point-in-time snapshot.

Preparation

Six months before the audit, we:

  1. . Documented all security policies and procedures
  2. . Implemented continuous compliance monitoring
  3. . Conducted internal security reviews
  4. . Trained all employees on security practices

Control Categories

The auditors examined controls across several categories:

Access Controls - Multi-factor authentication for all employees - Role-based access with quarterly reviews - Automated deprovisioning for departing employees - Privileged access management for production systems

Change Management - Code review requirements for all changes - Automated testing in CI/CD pipelines - Staged rollouts with automatic rollback - Change advisory board for major releases

Incident Response - 24/7 security monitoring and alerting - Documented incident response procedures - Regular tabletop exercises - Post-incident review process

Vendor Management - Security assessments for all vendors - Contract requirements for data protection - Ongoing monitoring of vendor compliance

Key Technical Controls

Let me highlight some specific technical controls we implemented:

Encryption Key Management

We use AWS KMS with customer-managed keys (CMK):

- Master keys never leave the HSM
- Automatic key rotation every 365 days
- Separate keys per customer (enterprise tier)
- Full audit logging of key usage

Network Security

Our network architecture includes:

  • Private subnets for all backend services
  • Web Application Firewall (WAF) for API endpoints
  • DDoS protection via AWS Shield
  • Network traffic logging and analysis

Data Handling

Audio data follows strict handling procedures:

  1. . **In Transit**: Encrypted via TLS 1.3, certificate pinning on mobile SDKs
  2. . **At Rest**: AES-256 encryption, per-customer keys
  3. . **In Processing**: Processed in isolated containers, memory cleared after inference
  4. . **Retention**: Configurable retention periods, secure deletion

Continuous Compliance

Achieving SOC 2 compliance isn't a one-time event—it's an ongoing commitment.

Automated Monitoring

We use Vanta to continuously monitor our compliance posture:

  • Real-time alerts for policy violations
  • Automated evidence collection
  • Employee training tracking
  • Vendor risk management

Regular Testing

Our security testing program includes:

  • **Quarterly**: Vulnerability scans, access reviews
  • **Annually**: Penetration testing by third party, disaster recovery testing
  • **Ongoing**: Bug bounty program, security code reviews

What This Means for Customers

Our SOC 2 Type II certification provides:

  1. . **Assurance**: Independent validation of our security controls
  2. . **Simplified Procurement**: Meet your vendor security requirements
  3. . **Trust**: Evidence that we take security seriously
  4. . **Compliance Support**: Helps with your own audit requirements

Enterprise customers can request our full SOC 2 report under NDA.

Looking Ahead

Security is never "done." Our roadmap includes:

  • **HIPAA compliance** for healthcare customers (Q2 2026)
  • **ISO 27001 certification** (Q3 2026)
  • **FedRAMP authorization** for government customers (2027)

We're committed to meeting the security needs of the most demanding enterprises. If you have questions about our security practices, reach out to security@vmhunter.com.

Share this article

TwitterLinkedIn
Read more articles