Audit Policy

This page describes how CustomerNode supports customer audit and assurance activities. The standard compliance package satisfies most procurement and security-review needs.

Standard compliance package

Additional supporting documentation is available to current and prospective customers on request during security review:

• SOC 2 Type I report — unredacted (a redacted version is also publicly downloadable)
• Subprocessor list (current state)
• Countersigned Data Processing Addendum
• Security overview (this Trust Center)
• GenAI Governance Policy
• Privacy Policy and Terms of Use
• Standard responses to common security questionnaires

SOC 2 access

A public redacted version of the SOC 2 Type I report is publicly downloadable. The complete unredacted report — including subservice organization names and infrastructure detail — may be made available to current and prospective customers during security review on request via [email protected].

Security questionnaires

We respond to standard security and vendor-risk questionnaires (CAIQ, SIG-Lite, and common custom questionnaires of comparable length) at no additional cost as part of the standard package. Highly bespoke questionnaires, or questionnaires requiring repeated re-completion within a short period, may be treated as professional services work.

Audit requests

Customers may, subject to reasonable notice and the limits described below, request additional audit support beyond the standard package — for example, an attestation letter addressing a specific control, a controls-mapping document, or a written response to a regulator. Scope, timing, and any applicable cost will be agreed in writing in advance.

Scope limitations

Some forms of audit support are not available, either because they would compromise the security and privacy of other customers or because they are inconsistent with how the platform is operated. Specifically:

• No source code access. CustomerNode's source code is not provided to customers, auditors, or third parties.
• No production access. Customers and auditors do not receive access to production systems, databases, or administrative interfaces.
• No destructive testing. Testing that could degrade service availability or integrity for other customers is not permitted.
• No unapproved penetration testing or automated scans. Any security testing against CustomerNode systems must be scoped, scheduled, and approved in writing in advance.

Restricted testing

Customers wishing to perform a security test against their own tenant must obtain prior written approval. Approved tests will be scoped to the requesting tenant, scheduled, and bounded in volume to avoid impact on the shared platform. Unapproved scans — including automated vulnerability scanners run against our public endpoints — may be treated as abusive traffic and blocked.

Confidentiality

Audit materials shared with customers or their auditors during security review are confidential and may not be redistributed without CustomerNode's prior written consent. Findings discovered during an approved test must not be disclosed publicly without a coordinated disclosure window.

Customer-borne costs

Costs incurred in connection with audits beyond the standard package — including CustomerNode personnel time, third-party coordination, and any additional certification or attestation work — are the customer's responsibility unless otherwise agreed in writing.

Billable assistance

Customer-specific assurance work beyond the standard package is treated as professional services and is billed at then-current rates. Examples include:

• Custom attestation letters addressing customer-specific controls
• Bespoke controls-mapping work (e.g. to internal customer frameworks)
• Coordination with the customer's external auditor
• Customer-specific regulator responses
• Repeated re-completion of large vendor-risk questionnaires within the same cycle

Scope and pricing will be agreed in writing before work begins. Where possible, we will propose a fixed fee; otherwise time-and-materials applies.