SOC 2 Type II
An independent third-party audit that verifies the operating effectiveness of Zeal's security controls over a defined observation period. Not a self-assessment. Not a point-in-time snapshot. An ongoing audit that requires controls to work consistently, every day, for months.
What the audit means
Type II, not Type I
SOC 2 audits are issued as either Type I or Type II. A Type I report reflects the auditor's opinion that, at a specific point in time, a service organization has controls suitably designed to meet the relevant Trust Service Criteria. A Type II report goes further. It reflects the auditor's opinion that those controls operated effectively over an observation period -- typically six to twelve months -- based on testing of actual control operation, not just design.
Type II is the meaningful standard for enterprise vendor assessment because it answers the question that matters: not whether the controls exist on paper, but whether they work in practice, consistently, over time. Zeal completes an annual Type II audit. The observation period runs twelve months. The report is issued by an independent CPA firm accredited to perform SOC 2 examinations.
Type I
Controls are suitably designed at a single point in time. Tests design, not operation. No evidence that controls function over time.
Type II (Zeal)
Controls operated effectively over a twelve-month observation period. Tests actual operation through sampling and evidence review.
Scope
Trust Service Criteria covered
Zeal's SOC 2 Type II audit covers all five Trust Service Criteria. Each criterion requires a separate set of controls and is tested independently during the audit.
Security
The foundational criterion. Covers logical and physical access controls, change management, risk management, monitoring, and incident response. The auditor tests whether access is restricted to authorized personnel, whether changes go through a controlled process, whether the environment is monitored for anomalies, and whether incidents are detected and handled appropriately. Every SOC 2 audit must include Security.
Representative controls in scope
- Role-based access control with least-privilege enforcement
- Multi-factor authentication required for all production access
- Automated vulnerability scanning with defined remediation SLAs
- Change management process with peer review and approval gates
- 24/7 security monitoring with alerting and on-call response
- Annual penetration testing by independent third party
Availability
Covers whether the system is available for operation and use as committed. The auditor tests incident and problem management procedures, capacity planning, backup and recovery processes, and environmental protections. Zeal publishes uptime commitments in its enterprise Service Level Agreements and maintains a public status page.
Representative controls in scope
- Multi-AZ deployment for all production services
- Daily encrypted backups with tested restoration procedures
- Defined recovery time objective (RTO) and recovery point objective (RPO) for critical systems
- Capacity monitoring with automated scaling for primary workloads
- Disaster recovery plan tested annually
Processing Integrity
Covers whether system processing is complete, valid, accurate, timely, and authorized. For Zeal, this criterion addresses the accuracy and completeness of contract analysis outputs, the integrity of data ingestion pipelines, and the handling of processing errors. Controls include input validation, output verification checks, and error logging.
Representative controls in scope
- Input validation at ingestion boundaries for all document formats
- Processing error detection with automatic retry and failure logging
- Output integrity checks on AI-generated extractions
- Audit trail for all data processing operations
Confidentiality
Covers information designated as confidential -- in Zeal's case, the contract data and legal information submitted by customers. The auditor examines whether confidential information is protected during collection, use, retention, disclosure, and disposal. Controls include encryption, access restrictions, data handling procedures, and disposal processes.
Representative controls in scope
- AES-256 encryption at rest for all customer data
- TLS 1.3 for all data in transit
- Tenant isolation in all AI processing pipelines
- Data classification policy with handling requirements per class
- Secure disposal procedures for decommissioned media
- NDA requirements for all staff with access to customer data
Privacy
Covers personal information collected, used, retained, disclosed, and disposed of in conformity with AICPA's Generally Accepted Privacy Principles. The auditor examines notice and consent practices, data subject rights handling, use limitation, and security of personal information. Zeal's privacy criterion controls align with GDPR and CCPA obligations.
Representative controls in scope
- Privacy notice provided at point of collection
- Data subject rights request handling procedure with defined response timelines
- Documented legal basis for each category of personal data processing
- Sub-processor disclosure and contractual obligations
- Data retention and deletion schedules for personal information
Access
How to request the SOC 2 report
The SOC 2 Type II report is a confidential document prepared by Zeal's auditing firm and is distributed under a mutual NDA. It is available to current enterprise customers, active enterprise prospects in the evaluation phase, and investors under appropriate confidentiality terms.
To request the report, contact the Zeal security team at security@zeal.us with your name, organization, and the context of your request. Current customers can also request the report through their account representative. Zeal will confirm receipt within two business days and coordinate NDA execution and document delivery.
A summary of the audit scope, observation period, and auditor identity can be provided without NDA for organizations conducting preliminary due diligence.