Skip to content
← Blog
Company

Our SOC 2 Journey: Building Enterprise Trust for AI Agent Governance

JieGou has begun its SOC 2 Type II audit. Here's why SOC 2 matters for AI agent platforms, what the audit validates, and what it means for enterprise customers evaluating agent governance.

JT
JieGou Team · · 4 min read

Why SOC 2 Matters for AI Agent Platforms

When enterprises evaluate AI agent platforms, security and compliance are consistently cited as the #1 requirement. 75% of enterprise leaders say security, compliance, and auditability are their most critical criteria for agent deployment.

SOC 2 Type II is the gold standard for demonstrating that a SaaS platform has the controls necessary to protect customer data. It’s not a self-assessment — it’s a third-party audit conducted by an independent CPA firm, examining controls over an extended observation period.

For AI agent platforms specifically, SOC 2 validates that:

  • Customer data processed by AI agents is protected
  • Access controls prevent unauthorized agent actions
  • Audit trails capture all system activity
  • Incident response procedures are in place
  • Change management controls govern platform updates

What We’re Auditing

JieGou’s SOC 2 Type II audit covers the five Trust Service Criteria:

1. Security (Common Criteria)

The foundation of SOC 2. Our security controls include:

  • AES-256-GCM encryption for BYOK (Bring Your Own Key) API keys at rest
  • Firebase Authentication with session cookie management
  • 6-role RBAC (Owner > Admin > Manager > Editor > Viewer) with 20 granular permissions
  • Redis-backed rate limiting on LLM endpoints (30 req/min per user)
  • Per-provider circuit breaker for LLM resilience

2. Availability

Platform uptime and reliability controls:

  • Kubernetes deployment on EKS with auto-scaling
  • Health check endpoints with structured monitoring
  • Dead letter queue for failed async operations with category-specific retry logic
  • Stalled run watchdog for workflow execution recovery

3. Processing Integrity

Ensuring AI agent outputs are complete, valid, and accurate:

  • Bakeoff testing framework with LLM-as-judge evaluation
  • Template health CI with automated quality scoring
  • Convergence loops for iterative quality improvement
  • Multi-judge evaluation with statistical confidence (Kendall’s tau, Spearman’s rho)

4. Confidentiality

Protecting sensitive business data:

  • Data residency controls with per-category classification (HIPAA/GDPR/PCI-DSS/SOX/FedRAMP)
  • BYOK encryption so customer API keys never leave their control
  • Department-scoped data access ensuring agents only see data relevant to their department
  • Run visibility controls with 4 scopes: private, department, account, group

5. Privacy

Customer data handling practices:

  • Audit logging with 30 action types, fire-and-forget
  • Compliance timeline for visual governance event history
  • Evidence export with 17 TSC controls across 8 categories
  • GDPR-ready data handling with configurable retention policies

The Audit Timeline

Our SOC 2 Type II audit began on March 5, 2026, with a 12-month observation period:

  • March 2026: Service period begins, Vanta continuous monitoring active
  • Ongoing: Controls are monitored and evidence is collected automatically
  • March 2027: Observation period ends, audit report issued

We chose Type II (vs. Type I) because it requires demonstrating that controls are not just designed but operating effectively over time. A Type I audit is a point-in-time snapshot. A Type II audit proves sustained compliance — which is what enterprise customers actually need.

What This Means for Customers

For enterprises evaluating JieGou:

  1. “SOC 2 Type II — Audit in Progress” means we’ve committed to third-party validation of our security controls. The audit is active and being monitored continuously.

  2. Our governance stack is the foundation for SOC 2. The 10-layer governance architecture, audit logging, RBAC, and compliance controls we built for AI agent governance are the same controls the SOC 2 audit validates.

  3. Evidence export is already available. You don’t need to wait for the audit to complete. JieGou’s evidence export covers 17 TSC controls across 8 categories — structured for your own compliance team.

How JieGou Compares

Most agent-native platforms (CrewAI, LangGraph, AutoGen) don’t have SOC 2 certification or audits in progress. Enterprise automation platforms (Zapier, Make) have SOC 2, but don’t provide agent-specific governance controls. JieGou combines both: enterprise-grade security certification with purpose-built AI agent governance.

Learn more about JieGou’s security and compliance:

soc2 security compliance enterprise trust audit vanta

Explore more

📖 AI Governance ⚙️ Enterprise Plan ⚙️ Why JieGou?
Share this article

Related articles

SOC 2 Penetration Test Complete: What It Means for Enterprise Customers

JieGou's SOC 2 penetration test is complete with all findings resolved. Here's what this milestone means for our enterprise security posture and the path to Type I certification.

The Market Has Spoken: Governance Is #1

CrewAI's 2026 State of Agentic AI survey confirms what JieGou has believed from the start: security and governance is the #1 enterprise priority for AI agent platforms at 34% of buyers.

Why Versioning Isn't Governance: The Gap Between Deployment Control and AI Safety

Zapier shipped agent versioning. It's a good feature — but versioning is deployment control, not governance. Here's the difference and why it matters.

Enjoyed this post?

Get workflow tips, product updates, and automation guides in your inbox.

No spam. Unsubscribe anytime.

← Back to all posts