Lead Router is architected against the SOC 2 Type II Trust Services Criteria from the AICPA. The Type II audit is in progress with an independent auditor. This page describes the controls in plain English so enterprise security teams can complete a vendor review without waiting on back-and-forth email.
5 of 5
Trust Services Criteria
Row-level on 64 tables
Tenant isolation
In Progress
Type II audit
The Framework
SOC 2 is the industry standard for vendor security review in North America. Plain-English explanation of what the framework is and how Type I and Type II differ.
SOC 2 is a security and controls framework published by the AICPA (American Institute of Certified Public Accountants). It defines a set of Trust Services Criteria that a service organization can be audited against by an independent CPA firm. SOC 2 is not a government regulation. It is an attestation framework that enterprise buyers rely on when their procurement and security teams perform vendor reviews. A valid SOC 2 report is what replaces a long back-and-forth security questionnaire in most enterprise deals.
There are two flavors of SOC 2 report. Type I is a point-in-time attestation that the design of the controls is suitable as of a specific date. Type II goes further. It covers an observation window (commonly six to twelve months) during which the auditor checks that the controls were not only designed correctly but actually operated effectively over time. Most enterprise security reviews require Type II, because it demonstrates sustained performance rather than a snapshot.
The framework has five Trust Services Criteria. Security is the required baseline and every SOC 2 report includes it. The other four (Availability, Processing Integrity, Confidentiality, Privacy) are optional additions and a service organization picks the ones that matter to its customers. For a B2B platform like Lead Router that moves customer PII between partners and buyers, Availability and Confidentiality are always in scope and Processing Integrity matters because contracts, caps, and billing must be correct.
Enterprise buyers (insurance carriers, banks, healthcare groups, publicly traded media companies) require SOC 2 because their own auditors require it of them. When one of your large customers asks for a SOC 2 report, they are not asking a polite question. Their procurement process will not close the deal without a valid attestation. This page exists so their security team can start the review without waiting on us.
Our Architecture
Specific controls keyed to each of the five Trust Services Criteria. Written in operator voice, not marketing.
Multi-factor authentication is available on every admin account using TOTP and Passkey/WebAuthn. Access is role-based (admin, buyer, partner, superadmin) and every admin action writes to an immutable audit log. Tenant data is isolated at the row level on 64 per-tenant tables, enforced by application-layer query helpers on every read, write, update, and delete. Sentry monitors production errors in real time and a daily digest runs against the Sentry API to surface regressions. Secrets are stored in Vercel environment variables, AES-256-GCM is used for PII at rest, and TLS 1.2 or higher is required in transit.
The platform runs on Vercel with multi-region edge and serverless functions, so a single regional incident does not take the tenant offline. The primary database is Neon Postgres with automated continuous backups and point-in-time restore. A public /api/health endpoint reports database connectivity and hot-path table reachability, and is hit by an external uptime monitor on a 60 second interval so incidents page out quickly instead of sitting in a queue.
Lead routing, cap accounting, and balance changes run inside database transactions on the postgres-js driver. Cap counters use atomic increments against a dedicated capCounter table with daily, weekly, and monthly periods, so two leads arriving in the same millisecond cannot both win a cap-bounded contract. Every deploy runs a comprehensive test suite covering routing waterfall truth tables, ping-post auctions, dedup, and state machine transitions before the build is promoted.
Customer records, including lead PII, are scoped per tenant with application-enforced filters on every query. The engineering team operates under least-privilege access and production database credentials are scoped to short-lived, auditable sessions. Every team member signs an NDA as a condition of access to customer data. Production and staging environments are separated and test data is prefixed with test- so it cannot be confused with live records.
Lead Router publishes a plain-English privacy policy at theleadrouter.com/privacy covering what is collected, why, and how long it is retained. Data subject requests (access, deletion, correction) are handled through a dedicated /dsr workflow with a documented 30 day service level for deletion. Consent captured at the form (language, IP, timestamp) is stored alongside the lead and call records so the consent trail is auditable for compliance review.
Where We Are Today
We do not claim finished attestation. Here is exactly where the audit stands and what to expect.
The SOC 2 Type II audit is in progress during 2026 with an independent CPA firm. The scope covers the Security, Availability, and Confidentiality Trust Services Criteria at minimum, with Processing Integrity and Privacy included through related controls. Controls documentation is in place, the control environment is live in production, and the auditor is in the evidence collection phase of the observation window.
We will publish the attestation date on this page once the auditor issues the final Type II report. The full report will be available to qualified prospects under a mutual NDA at that point. We will not claim "SOC 2 compliant" or "SOC 2 certified" until the attestation is actually in hand. Anyone who claims either of those phrases without an issued report is misusing the framework.
In the meantime, the controls described on this page are already enforced in production. An enterprise security team can review the architecture today, issue their standard vendor questionnaire, and proceed with procurement on the understanding that the Type II report is pending.
Inside The Audit
A SOC 2 Type II audit is a structured process. Here is what happens between "in progress" and "report issued."
For Security Teams
How enterprise security teams access the attestation materials before and after the audit is complete.
A public summary describing the scope, the Trust Services Criteria in scope, and the current attestation status is available on this page. This is enough for most vendor security questionnaires to get started. If the buyer needs the full Type II report, contact sales@iscale.com and the sales team will route the request to the security contact.
The full SOC 2 Type II report will be made available to qualified prospects under a mutual NDA once the auditor issues it. We do not post the full report publicly because it contains control detail that is only appropriate for an audience performing a security review under confidentiality terms. Every enterprise vendor operates this way.
If a prospect needs the report before the Type II observation window closes, we can share the Type I design report covering the same control framework as a point-in-time attestation. Ask the sales team when you make the request.
Frequently Asked
The questions enterprise security teams ask about Lead Router's SOC 2 posture.
Is Lead Router SOC 2 compliant?
Lead Router is architected against the SOC 2 Type II Trust Services Criteria and a Type II audit is currently in progress. We do not claim finished attestation yet. Security controls are in place today (multi-factor auth, row-level tenant isolation, audit logging, AES-256-GCM encryption at rest, TLS in transit), and the independent auditor is observing operating effectiveness over the defined window.
What trust services criteria do you target?
Security is the required baseline for every SOC 2 engagement. Lead Router also targets Availability and Confidentiality because enterprise buyers commonly ask for them. Processing Integrity is covered in practice through transactional writes and cap counter correctness. Privacy is addressed through a published policy and a documented data subject request workflow.
When will the SOC 2 Type II report be available?
The Type II audit is in progress during 2026. A Type II report requires an observation window (commonly six to twelve months) during which the auditor validates that controls operate effectively over time, followed by the auditor drafting the final report. We will publish the attestation date once the auditor issues the report.
Can I see the report?
A public summary describing the scope, control families, and attestation status is available on this page. The full SOC 2 Type II report will be shared with qualified prospects under a mutual NDA after the auditor issues attestation. Contact sales@iscale.com to request the report once it is available.
What is the difference between SOC 2 Type I and Type II?
SOC 2 Type I attests that the design of controls is suitable at a single point in time. SOC 2 Type II attests that the controls not only exist but also operate effectively over a defined observation window, typically six to twelve months. Enterprise vendor reviews generally require Type II because it demonstrates sustained control performance, not just a snapshot.
Enterprise Ready
The controls enterprise security teams expect, documented so your procurement review can move forward. Start a trial, or request the attestation materials for your vendor questionnaire.
SOC 2 Type II audit in progress. Full report available under NDA after attestation.