SOC 2 Type II
Permit.io completed its latest SOC 2 Type II renewal in January 2026. The report is available to qualified customers and prospects.

Permit.io protects the authorization layer that applications and AI agents rely on. Explore our security program, compliance posture, privacy practices, and operational resilience.
Overview
Our program combines independently examined controls with security practices designed for cloud, hybrid, and self-hosted authorization.
Permit.io completed its latest SOC 2 Type II renewal in January 2026. The report is available to qualified customers and prospects.
Administrative, technical, and operational safeguards support HIPAA-regulated workloads. Business Associate Agreements are available where applicable.
Permit.io supports data subject rights, contractual processing terms, and Standard Contractual Clauses for applicable international transfers.
Privacy procedures support applicable California consumer rights and customer data processing obligations.
Permit.io’s Edge PDP evaluates authorization close to your application. A local PDP can continue using cached policy during a temporary control-plane interruption, while self-hosted options give customers more control over deployment boundaries.
Permit.io secures the service and its delivery. Customers remain responsible for policy design, user lifecycle, application integration, and their deployment environment.
Resources
Review public policies and operating status, or request controlled access to confidential assurance documents.
Latest independent examination report.
Request this documentRedacted executive summary of the latest independent assessment.
Request this documentContractual privacy and data processing commitments.
View resourceHow Permit.io collects, uses, and protects personal information.
View resourceLive availability and incident updates for Permit.io services.
View resourceTechnical guidance for hosted, hybrid, and self-hosted deployments.
View resourceControls
Technical and organizational controls help protect customer data and keep the authorization service dependable.
Layered safeguards protect Permit.io’s cloud-hosted services.
Access follows least-privilege and individual-account principles.
Security checks are integrated throughout the development lifecycle.
People, process, and endpoint controls reinforce technical safeguards.
Data handling practices support privacy and customer control.
Hybrid architecture helps authorization remain close to the application.
Subprocessors
These providers may process customer data while delivering the Permit.io service. Customers receive advance notice of applicable subprocessor changes.
For the contractual list and notice terms, review the Data Processing Addendum.
Updates
Material assurance and service-provider updates are published here as the program evolves.
Permit.io completed its latest SOC 2 Type II renewal. Qualified customers and prospects can request the current report for their assurance review.
Request the latest reportFAQ
Quick answers to frequent architecture, privacy, and assurance questions.
Yes. Permit.io uses TLS to protect data in transit and encrypts production databases and block storage at rest. Encryption keys are managed through AWS KMS.
A locally deployed Edge PDP can continue evaluating cached policy and user data if it temporarily loses connection to the Permit.io control plane. Policy updates resume after connectivity returns.
No. Permit.io-owned AI models do not make production authorization decisions. Authorization is evaluated deterministically from the policies and contextual data configured by the customer.
Processing location depends on the selected deployment model and contract. Hosted services use AWS, while Edge PDP and self-hosted options let customers keep authorization evaluation closer to their own infrastructure.
Email help@permit.io with “Security concern” in the subject. The support team will route the report to the appropriate security owner.
Tell us which documents your review requires. Our team will verify your request and help with security questionnaires, SOC 2 evidence, penetration testing summaries, or a BAA.