SOC 2 Type II compliance at Exclaimer

Exclaimer holds an independently audited SOC 2 Type II attestation covering Security, Availability, and Confidentiality. Our most recent audit was completed by BARR Advisory, in February 2026.

This page covers what our SOC 2 Type II report includes, how we meet the trust service criteria in scope, and where to find the audit evidence your security and procurement teams need.

What SOC 2 Type II covers

SOC 2 is the audit framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating how service organizations manage customer data in the cloud. It is one of the most widely requested standards in US enterprise vendor reviews.

SOC 2 Type II in plain terms

SOC 2 is an attestation, not a certification. An independent auditor evaluates a service organization's controls against the trust service criteria the organization chooses to include. The auditor issues a report describing what was tested and the conclusions reached.

Type II is the version most security and procurement teams look for. A Type I report confirms controls are designed correctly at a single point in time. A Type II report proves those controls operated effectively across a continuous audit period, typically 12 months, with evidence collected throughout. The result is independently validated evidence that the controls protecting customer data are operating effectively over time.

The trust service criteria in our report

Exclaimer's SOC 2 Type II report covers three of the five trust service criteria:

• Security (Common Criteria): Protection of systems and customer data against unauthorized physical and logical access.

• Availability: Operation and uptime of the service as committed to customers.

• Confidentiality: Protection of information designated as confidential by the customer.

Processing Integrity and Privacy aren’t in scope. Privacy controls for personally identifiable information are covered by our broader information security program and the data protection obligations set out in our customer agreements.

Exclaimer’s SOC 2 Type II report

Our SOC 2 Type II audits are conducted annually by BARR Advisory, an AICPA-registered audit firm. Our most recent report was issued in February 2026 and covers the Security, Availability, and Confidentiality trust service criteria.

How Exclaimer meets the trust service criteria for SOC 2 Type II

Exclaimer meets the three trust service criteria in scope of our SOC 2 Type II report through a combination of platform architecture, operational controls, and continuous monitoring. The summaries below describe how each criterion is implemented across our cloud platform.  

Security 

Our platform is hosted on Microsoft Azure with logical segregation between customer tenants and multi-factor authentication on all privileged access. Data is encrypted in transit and at rest using industry-standard cryptographic protocols. 

Availability 

Exclaimer is hosted across 14 Microsoft Azure datacenters, grouped into seven geographically separated active-active pairs, with automatic regional failover. The platform delivers a 99.99% average uptime. 

Confidentiality 

Exclaimer doesn’t persistently store the content of customer emails. Messages are processed in memory, the signature is applied, and the message is returned to the customer's mail flow. There are no archives of processed messages and no facility for Exclaimer personnel to browse email bodies. 

For the technical controls behind each of these areas, see our security overview page.

Access Exclaimer’s SOC 2 Type II report

This page is designed to support your vendor risk assessment. The Exclaimer Trust Center is where the underlying audit evidence lives. Our SOC 2 Type II report, along with the supporting audit evidence, is available in the Exclaimer Trust Center under NDA. You'll also find pre-completed answers to over 350 questions covering our wider security and compliance program.

If your vendor review needs documentation or context that isn't in the Trust Center, contact our security team directly.