SOC 2 Type II compliance at Exclaimer
Exclaimer holds an independently audited Service Organization Control (SOC) 2 Type II attestation covering Security, Availability, and Confidentiality. Our most recent audit was completed by BARR Advisory in February 2026. Exclaimer is the only dedicated email signature management provider publicly listing both ISO 27001 and SOC 2 Type II certifications.
At a glance
Independent auditor: BARR Advisory, P.A.
Trust Service Criteria covered: Security, Availability, Confidentiality
Audit cadence: Annual
Most recent audit period: February 2026
This page covers what our SOC 2 Type II report includes, how we meet the trust service criteria in scope, and where to find the audit evidence your security and procurement teams need.
"A Type II report shows how controls actually performed across the audit window, not just how they were designed on paper. That's what procurement and security teams want to see, and it's what we provide" — Karl Bagci, Director of IT and Information Security, Exclaimer
What does SOC 2 Type II cover?
SOC 2 is the audit framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating how service organizations manage customer data in the cloud. It is one of the most widely requested standards in US enterprise vendor reviews.
SOC 2 Type II in plain terms
SOC 2 is an attestation, not a certification. An independent auditor evaluates a service organization's controls against the trust service criteria the organization chooses to include. The auditor issues a report describing what was tested and the conclusions reached.
Type II is the version most security and procurement teams look for. A Type I report confirms controls are designed correctly at a single point in time. A Type II report proves those controls operated effectively across a continuous audit period, typically 12 months, with evidence collected throughout. The result is independently validated evidence that the controls protecting customer data are operating effectively over time.
Why SOC 2 Type II matters for email signature management
Email signature management platforms like Exclaimer integrate directly with Microsoft 365 and Google Workspace directories, processing directory data and routing email through the service. SOC 2 Type II compliance provides assurance that the controls protecting this data, including employee information and email content during processing, operate effectively over time, not just at a single point.
The trust service criteria in our report
Exclaimer's SOC 2 Type II report covers three of the five trust service criteria:
Security (Common Criteria): Protection of systems and customer data against unauthorized physical and logical access.
Availability: Operation and uptime of the service as committed to customers.
Confidentiality: Protection of information designated as confidential by the customer.
Processing Integrity and Privacy aren’t in scope. Privacy controls for personally identifiable information are covered by our broader information security program and the data protection obligations set out in our customer agreements.
Who audits Exclaimer's SOC 2 Type II report?
Our SOC 2 Type II audits are conducted annually by BARR Advisory, an AICPA-registered audit firm. Our most recent report was issued in February 2026 and covers the Security, Availability, and Confidentiality trust service criteria.
Scope | Audit cadence |
|---|---|
Our report covers the development, operation, and support of Exclaimer's cloud-hosted email signature management platform. This includes the infrastructure, processes, and personnel involved in delivering the service. | Annual Type II audits across a continuous 12-month observation period. Controls are tested by the auditor against the trust service criteria in scope, with evidence collected throughout the audit window. |
How does Exclaimer meet SOC 2 Type II trust service criteria?
Exclaimer meets the three trust service criteria in scope of our SOC 2 Type II report through a combination of platform architecture, operational controls, and continuous monitoring. The summaries below describe how each criterion is implemented across our cloud platform.
Criterion | How it's met | Key controls |
|---|---|---|
Security | Platform hosted on Microsoft Azure with logical segregation between customer tenants | Multi-factor authentication on all privileged access; TLS encryption for data in transit; AES-256 encryption at rest |
Availability | Hosted across 14 Microsoft Azure datacenters in seven geographically separated active-active pairs | Automatic regional failover; 99.99% average uptime |
Confidentiality | No persistent storage of customer email content; messages processed in memory only | Signature applied and message returned to mail flow; no archives; no facility for personnel to browse email bodies |
For the technical controls behind each of these areas, see our security overview page.
How do I get a copy of Exclaimer's SOC 2 Type II report?
This page is designed to support your vendor risk assessment. The Exclaimer Trust Center is where the underlying audit evidence lives. Our SOC 2 Type II report, along with the supporting audit evidence, is available in the Exclaimer Trust Center under NDA. You'll also find pre-completed answers to over 350 questions covering our wider security and compliance program.
If your vendor review needs documentation or context that isn't in the Trust Center, contact our security team directly.
Visit the Trust Center →Frequently asked questions about Exclaimer’s SOC 2 Type II compliance
BARR Advisory audits our SOC 2 Type II report. BARR is an AICPA-registered audit firm and one of the leading SOC and ISO audit firms in the U.S.
SOC 2 Type I evaluates control design at a single point in time; SOC 2 Type II evaluates whether controls operated effectively over 12 months with continuous evidence collection. Type II is the standard most security and procurement teams require because it demonstrates sustained operational effectiveness.
Our report covers the Security (Common Criteria), Availability, and Confidentiality trust service criteria. Processing Integrity and Privacy aren't in scope.
Processing Integrity applies to systems acting as a source of truth for transactional data, which Exclaimer's platform isn't. Privacy controls for personally identifiable information are handled through our broader information security program and the data protection obligations in our customer agreements.
Our most recent SOC 2 Type II audit was completed in February 2026. Audits run annually across a continuous 12-month audit period.
The current SOC 2 Type II report is available on request from the Exclaimer Trust Center under NDA, along with the supporting audit evidence and pre-completed security questionnaire responses.
Talk to Exclaimer's security team
If your vendor review needs documentation, context, or audit evidence that isn't covered here or in the Trust Center, our security team can walk you through the specifics directly.
Contact our security team →