Overview & Current Assurance Posture
This page documents the current state of external assurance for Complaint Analyst. It is written for procurement teams, compliance reviewers, and security assessors who need to understand what independent validation exists today and what is on the roadmap.
Complaint Analyst is an early-stage product built for regulated complaint operations. The assurance posture is growing alongside the product. Where a formal certification is not yet achieved, this page explains the interim controls that are in place and the target timeline for the certification programme.
SOC 2 Type II — Progress & Scope
Complaint Analyst is working towards SOC 2 Type II certification with a target completion in Q2 2026. The scope covers the complaint management platform including data storage, processing, AI-assisted analysis, and the administrative controls around tenant management.
The current state of SOC 2 readiness includes: role-based access controls across all API endpoints, immutable audit logging for analyst actions and system events, encrypted credential storage using Fernet, transport security over TLS 1.3, and session management with expiring JWT tokens and optional TOTP 2FA. These controls are tested in CI through the automated compliance test suite.
The trust criteria in scope are Security, Availability, and Confidentiality. Processing Integrity and Privacy will be evaluated for inclusion after the initial Type II report is complete.
Penetration Testing
External penetration testing is scheduled annually against the production environment. The scope includes the public-facing web application, the API layer, the authentication and session management flows, and the intake endpoints that accept complaint data from external sources.
Between formal penetration tests, the engineering team runs automated security checks as part of the CI pipeline. These include dependency vulnerability scanning, static analysis for common vulnerability patterns (OWASP Top 10), and specific checks for the AI prompt pipeline to verify PII masking before data reaches the language model.
Sanitised penetration test summaries are available on request through the diligence form at the bottom of this page. Full reports with findings detail are shared under NDA with customers in active procurement.
Security Certifications & Roadmap
The current certification roadmap reflects the sequence that regulated fintech buyers most commonly request during procurement.
SOC 2 Type II is the immediate priority with a target of Q2 2026. ISO 27001 certification is targeted for Q4 2026, building on the controls and documentation established during the SOC 2 programme. The team is evaluating Cyber Essentials Plus as an additional UK-specific assurance signal for smaller regulated firms that use it as a baseline procurement requirement.
Until these certifications are achieved, the Trust Center serves as the primary assurance documentation. Each article is grounded in verifiable product behaviour rather than aspirational statements, and the automated compliance test suite in CI provides continuous evidence that security controls are functioning as documented.
Automated Compliance Tests as Assurance Evidence
The backend test suite includes a dedicated compliance marker that runs checks against FCA DISP timing rules, role-based access control enforcement, audit trail completeness, and PII handling in the AI pipeline. These tests execute on every pull request and block merges when a compliance check fails.
This automated approach means that the assurance evidence is not a point-in-time snapshot from an annual audit — it is a continuous gate that prevents regressions in security and compliance controls from reaching production. The test results are available as CI artefacts for customers who want to verify the claim.
Requesting Assurance Artefacts
The following artefacts are available today through the diligence request form: this Trust Center documentation set, sanitised penetration test summaries, the automated compliance test report, the data processing agreement, and a completed vendor security questionnaire covering the standard SIG Lite and CAIQ question sets.
For artefacts that are not yet available — such as the completed SOC 2 Type II report or the ISO 27001 certificate — the team will provide the current status and expected timeline. Use the diligence request form below and specify the artefacts your review requires.