DUBLIN, Calif. — January 22, 2026 — Safeguard today announced that its SOC 2 Type II audit is underway, covering the platform's security, availability, and confidentiality trust services criteria. The audit is part of a planned annual programme, and Safeguard intends to renew the attestation on an ongoing basis.
SOC 2 Type II differs from Type I in that it tests the operating effectiveness of controls over a defined window, not just the design of those controls at a point in time. The audit examines Safeguard's controls across the relevant trust services criteria and will report on how those controls operate throughout the audit period. Once the audit concludes, the attestation will be available to qualified customers and prospects under a standard mutual non-disclosure agreement.
The audit window overlapped with several material engineering investments. Safeguard moved its release pipeline to sigstore-signed artifacts during the period, meaning that every published binary, container image, and model weight bundle now has a public, verifiable signature tied to the build provenance. The platform also stood up a coordinated disclosure programme at security@safeguard.sh, with a published response service-level objective and a public acknowledgements page.
"SOC 2 Type II is not the finish line — it is the baseline an enterprise security platform should be measured against," said Hritik Kumar Sharma, Founder and CEO of Safeguard. "What matters more, from our point of view, is the continuous controls evidence behind the attestation. The same evidence pipeline that satisfies the auditor satisfies the customer asking the same questions twelve months later."
The continuous controls evidence pipeline is the architectural counterpart to the audit. Rather than producing point-in-time screenshots and policy documents, Safeguard's internal control plane emits evidence as the controls operate — access reviews, change approvals, vulnerability remediation timelines, and incident response artifacts — and stores them as signed records. Customers operating under their own SOC 2, ISO 27001, or sector-specific regimes can ingest that evidence directly into their own control libraries.
"Continuous evidence is the only honest version of an annual audit," said the Safeguard engineering team. "If the controls only operate during the audit window, the audit is theater. If they operate every day, the audit is a sample."
Once the audit concludes, the SOC 2 Type II report will be available to qualified parties via the Safeguard trust portal. Customers with active subscriptions can request status through their account contact.
About Safeguard
Safeguard is the software supply chain security platform that fuses 11 scanners, a security-only AI model lineup (Griffin · Eagle · Lion), and reachability-aware reasoning to find what pattern scanners miss — from CVEs to candidate zero-days — and to ship the fix with cited reasoning. The platform is built for engineering teams shipping production software and for the regulators auditing them. Learn more at https://safeguard.sh.