SOC 1 Compliance
Evolve maintains SOC 1 Type II compliance to give your organization confidence that our platform meets rigorous standards for controls relevant to financial reporting.
What Is SOC 1?
SOC 1 (System and Organization Controls 1) is an audit framework developed by the AICPA. It evaluates the internal controls at a service organization that are relevant to a customer's financial statements. A Type II report covers both the design and operating effectiveness of those controls over a defined period.
How Evolve Meets SOC 1 Requirements
Evolve undergoes an annual SOC 1 Type II audit conducted by an independent third-party auditor. The audit covers:
Access controls — role-based access, multi-factor authentication, and session management
Change management — code review processes, deployment approvals, and rollback procedures
Data processing integrity — validation of data pipelines for billing, usage tracking, and reporting
Incident response — documented procedures for identifying, escalating, and resolving security events
Requesting the SOC 1 Report
Evolve's SOC 1 Type II report is available to customers and prospects under NDA. To request a copy:
Contact your Evolve account manager or email security@evolveplatform.ai.
Sign the mutual NDA if one is not already in place.
You will receive the most recent report within 2 business days.
Continuous Monitoring
Between annual audits, Evolve maintains continuous monitoring of all controls covered by the SOC 1 report. Our security team reviews control effectiveness quarterly and addresses any gaps immediately.
For questions about Evolve's compliance posture, reach out to security@evolveplatform.ai.
Frequently Asked Questions
Q: How often does Evolve undergo a SOC 1 audit?
A: Evolve undergoes a SOC 1 Type II audit annually. The audit period typically covers a full 12-month cycle, and the resulting report is refreshed each year so customers always have access to a current assessment.
Q: How do I request a copy of the SOC 1 report?
A: Contact your Evolve account manager or email security@evolveplatform.ai. Because the report contains sensitive control details, it is shared under a mutual NDA. Once the NDA is in place, you will receive the report within 2 business days.
Q: What is the difference between SOC 1 Type I and Type II?
A: A Type I report evaluates whether controls are properly designed at a specific point in time. A Type II report goes further by testing whether those controls operated effectively over a defined period, usually 6 to 12 months. Evolve maintains a Type II report because it provides stronger assurance.
Q: Does Evolve use sub-processors that are also covered by the SOC 1 audit?
A: Evolve relies on certain sub-processors, such as cloud infrastructure providers, for core platform operations. These sub-processors maintain their own SOC reports, and Evolve reviews them as part of its vendor management program. A list of current sub-processors is available upon request from security@evolveplatform.ai.