VM HunterVM Hunter
Back to Blog
Security

Enterprise Security: Our Journey to SOC 2 Type II Compliance

An inside look at how we built VM Hunter with security-first principles and achieved SOC 2 Type II certification.

David Kim

VP of Security

February 3, 2026
7 min read

Last month, VM Hunter completed our SOC 2 Type II audit with zero findings. This certification represents months of work and validates our commitment to protecting customer data. Here's an inside look at our security journey.

Why SOC 2 Matters

SOC 2 (Service Organization Control 2) is the gold standard for SaaS security compliance. It evaluates five trust principles:

  1. Security: Protection against unauthorized access
  2. Availability: System uptime and reliability
  3. Processing Integrity: Accurate and complete data processing
  4. Confidentiality: Protection of confidential information
  5. Privacy: Personal information handling

For call centers handling sensitive customer conversations, working with SOC 2 compliant vendors isn't optional—it's a requirement.

Building Security from Day One

When we founded VM Hunter, we made a deliberate choice: build security in from the start, not bolt it on later.

Infrastructure Decisions

  • Cloud provider: We chose AWS for its comprehensive security certifications
  • Data residency: All data stays within the customer's chosen region
  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Isolation: Each customer's data is logically isolated

Architecture Patterns

We adopted several security-focused architecture patterns:

Zero Trust Networking: Every service-to-service call requires authentication, even within our VPC. We use mutual TLS and short-lived credentials.

Least Privilege Access: Services only have permissions for exactly what they need. Our ML inference service can read audio streams but cannot access customer account data.

Defense in Depth: Multiple layers of security controls ensure that a single failure doesn't compromise the system.

The Audit Process

SOC 2 Type II audits examine controls over a period of time (typically 6-12 months), unlike Type I which is a point-in-time snapshot.

Preparation

Six months before the audit, we:

  1. Documented all security policies and procedures
  2. Implemented continuous compliance monitoring
  3. Conducted internal security reviews
  4. Trained all employees on security practices

Control Categories

The auditors examined controls across several categories:

Access Controls

  • Multi-factor authentication for all employees
  • Role-based access with quarterly reviews
  • Automated deprovisioning for departing employees
  • Privileged access management for production systems

Change Management

  • Code review requirements for all changes
  • Automated testing in CI/CD pipelines
  • Staged rollouts with automatic rollback
  • Change advisory board for major releases

Incident Response

  • 24/7 security monitoring and alerting
  • Documented incident response procedures
  • Regular tabletop exercises
  • Post-incident review process

Vendor Management

  • Security assessments for all vendors
  • Contract requirements for data protection
  • Ongoing monitoring of vendor compliance

Key Technical Controls

Let me highlight some specific technical controls we implemented:

Encryption Key Management

We use AWS KMS with customer-managed keys (CMK):

- Master keys never leave the HSM
- Automatic key rotation every 365 days
- Separate keys per customer (enterprise tier)
- Full audit logging of key usage

Network Security

Our network architecture includes:

  • Private subnets for all backend services
  • Web Application Firewall (WAF) for API endpoints
  • DDoS protection via AWS Shield
  • Network traffic logging and analysis

Data Handling

Audio data follows strict handling procedures:

  1. In Transit: Encrypted via TLS 1.3, certificate pinning on mobile SDKs
  2. At Rest: AES-256 encryption, per-customer keys
  3. In Processing: Processed in isolated containers, memory cleared after inference
  4. Retention: Configurable retention periods, secure deletion

Continuous Compliance

Achieving SOC 2 compliance isn't a one-time event—it's an ongoing commitment.

Automated Monitoring

We use Vanta to continuously monitor our compliance posture:

  • Real-time alerts for policy violations
  • Automated evidence collection
  • Employee training tracking
  • Vendor risk management

Regular Testing

Our security testing program includes:

  • Quarterly: Vulnerability scans, access reviews
  • Annually: Penetration testing by third party, disaster recovery testing
  • Ongoing: Bug bounty program, security code reviews

What This Means for Customers

Our SOC 2 Type II certification provides:

  1. Assurance: Independent validation of our security controls
  2. Simplified Procurement: Meet your vendor security requirements
  3. Trust: Evidence that we take security seriously
  4. Compliance Support: Helps with your own audit requirements

Enterprise customers can request our full SOC 2 report under NDA.

Looking Ahead

Security is never "done." Our roadmap includes:

  • HIPAA compliance for healthcare customers (Q2 2026)
  • ISO 27001 certification (Q3 2026)
  • FedRAMP authorization for government customers (2027)

We're committed to meeting the security needs of the most demanding enterprises. If you have questions about our security practices, reach out to security@vmhunter.com.

Share this article

TwitterLinkedIn
Read more articles