Verified Over Time: Partos Achieves SOC 2 Type II Compliance

Jun 20, 20264 min read

Verified Over Time: Partos Achieves SOC 2 Type II Compliance

Partos has completed its SOC 2 Type II audit. The report covers the Security, Availability, and Confidentiality Trust Services Criteria across a continuous observation period, audited by an independent CPA firm in accordance with the AICPA's AT-C 105 and AT-C 205 attestation standards. It is the most rigorous third-party verification of operational security discipline a private SaaS company can carry, and the appropriate baseline for a platform that exists to inform decisions inside the defense industrial base.

We are publishing this not as a marketing milestone but as a statement of operating posture. The customers who use Partos AI to map their supply chains do so because the information they put into the platform is operationally sensitive. SOC 2 Type II is the floor we believed that responsibility required. The audit period is closed; the controls remain.

What Type II Means That Type I Does Not

SOC 2 reports come in two forms, and the difference is duration. A Type I report attests to the design of a control environment at a single point in time. A Type II report attests to the operating effectiveness of those same controls across a multi-month observation period, typically six to twelve months, during which the auditor independently samples evidence that each control fired correctly every time it should have. Access reviews actually happened on the schedule the policy claimed. Change tickets actually carried the approvals the workflow required. Backups actually ran, and restore tests actually verified them.

The distinction matters because it is the difference between a policy binder and a discipline. Many organizations can pass Type I by writing the right documents on the right day. Type II tests whether those documents reflect what the company actually does, every day, when no one is watching the calendar.

This is a meaningful test. There is no place in a Type II audit period for ad-hoc workflows that compensate for missing automation, no place for retrospective documentation, no place for the kind of "we'll fix it before next quarter" that audit calendars sometimes tolerate. Either the controls operate continuously, or they do not.

Why This Threshold, Specifically

The Partos platform aggregates and analyzes information that, taken in isolation, is unclassified, but taken in aggregate paints a picture of program dependencies that responsible customers will not share without a clean audit trail. The customers who rely on Partos to map Tier-2 and Tier-3 exposure inside their programs are the same customers writing rigorous security requirements into their own supplier relationships. They expect their SaaS suppliers to operate at the same standard they expect of themselves.

SOC 2 Type II is the recognized AICPA framework for that expectation. What it establishes, unambiguously, is that the security, availability, and confidentiality controls protecting the Partos environment have been independently verified to operate as designed, continuously, across the audit period.

What the Audit Actually Covered

The Type II report covers the three Trust Services Criteria most relevant to a defense supply chain intelligence platform.

Security, the common baseline for all SOC 2 audits, addresses access controls, change management, vulnerability management, incident response, network defense, and the broader logical and physical safeguards that protect against unauthorized access. For a platform like ours, this includes multi-factor authentication on all production paths, principle-of-least-privilege role assignments, segregation of production and non-production environments, and continuous logging of administrative actions.

Availability addresses the operational commitments customers depend on: monitoring, capacity planning, disaster recovery testing, and incident response readiness. For a SaaS platform whose customers may use Partos AI inside time-sensitive procurement decisions, the availability commitment is operational, not aspirational.

Confidentiality addresses how non-public information shared with the platform is identified, restricted, and disposed of when its purpose is complete. For a system designed around customer-supplied data about supplier relationships, qualification status, and program dependencies, confidentiality is not a feature. It is the product.

Compliance as Design Constraint, Not Paperwork

A recurring theme in this blog is that the cleared U.S. defense ecosystem has moved decisively away from treating compliance as a binder kept on a shelf. ITAR has become a software design constraint. CMMC has become a procurement gate. FOCI has become a transaction-killer in defense M&A. Customers and regulators alike now expect security and compliance to be embedded in how systems are built and operated, not bolted on before an audit.

We agree with that posture, and we are building accordingly. The control discipline that earned the Type II report, including automated evidence collection, continuous monitoring, change management that operates without exceptions, vulnerability remediation on schedule, and access reviews that actually happen, is not a checkpoint cleared and forgotten. It is how the platform runs.

The Standard We Hold Ourselves To

Defense industrial base software lives or dies on the question of whether customers can trust the platform with their data. There is no shortcut around that question. SOC 2 Type II is the answer we owe customers who have asked it, and it is verified independently, across time, not asserted.

For now, the report is in the file room. Annual recertification begins immediately. Customers, partners, and prospects who would like to review the SOC 2 Type II report under NDA can request it through their Partos point of contact.

The audit is done. The discipline continues.