Trust
SOC 2 Type 1 self-attestation pack
OilFlow is currently in SOC 2 Type 1 self-attestation; Type 2 audit engagement with Drata is in progress. The procurement evidence below — CSA CAIQ v4, sub-processor list with compliance posture, DPA template, auditor LoE — is available under our standard mutual NDA so vendor intake can run in parallel with the Type 2 observation window.
Honesty statement
Per CLAUDE.md §8 hard constraint #2, OilFlow does not claim SOC 2 Type II until the audit is complete and the report exists. Today, OilFlow operates against the SOC 2 Trust Services Criteria (security, availability, confidentiality), has implemented the controls that map to those criteria, and self-attests via CSA CAIQ v4 + SIG Lite. The Type 2 audit observation window opens Q3 2026; the Type 2 report ships Q1 2027. We’ll update this page the day the report countersigns.
Attestation status
Public trust surfaces (no NDA): /trust · /trust/transparency
Mutual NDA — short form
The materials behind this page are pre-release procurement evidence: signed auditor engagement letter, cyber liability COI, pen test summary. We make them available to prospective customer compliance + risk teams under our standard mutual NDA so vendor intake can proceed in parallel with our SOC 2 Type II observation window.
- You will not redistribute these artifacts outside your organization’s compliance + procurement + legal teams.
- You will treat the engagement letter, COI, and pen test summary as confidential.
- Full NDA terms apply per the executed pilot/MSA, or — pre-contract — our standard form at /dpa.
- This acceptance is logged with your email + organization for our records.
Acceptance is stored in a first-party cookie for 30 days. No third-party tracking. Questions: legal@oilflow.us.