Honest status, with dates instead of silence
A buyer’s security questionnaire asks for ISO 27001, ISO 42001, and SOC 2 first. Here is the plain status of each — what Permafrost holds, what is underway, and what is inherited from the infrastructure layer. We never list a certification we do not hold as held.
At a glance
Permafrost's own certifications
Attestations of Permafrost's product, processes, and controls.
- SOC 2 Type 2Permafrost's own audit of its security controls over an observation window. In progress.In progressExpected H2 2026
- ISO 27001Information-security management certification for Permafrost. On the roadmap after SOC 2 Type 2.PlannedPlanned
- ISO 42001AI-management-system certification covering Permafrost's analysis and AI governance. On the roadmap.PlannedPlanned
Inherited from the infrastructure provider
Substrate certifications that attest the hosting layer beneath Permafrost, not Permafrost's own controls.
- SOC 2Attested at the hosting layer by Permafrost's infrastructure provider. Covers the substrate, not Permafrost's own controls.InheritedCurrent
- ISO 27001Inherited from the infrastructure provider's certified hosting platform.InheritedCurrent
- ISO 27018Cloud-PII protection, inherited from the infrastructure provider's certified platform.InheritedCurrent
Framework by framework
ISO 27001 — information security
ISO 27001 is the information-security management baseline most UK and EU enterprise reviewers ask for first. Permafrost is aligned tothe standard’s control areas and treats it as a committed roadmap milestone — not a certificate we hold today. We will not describe Permafrost as ISO 27001 certified until an accredited body issues the certificate.
The hosting layer beneath Permafrost is ISO 27001 certified by the infrastructure provider. That attests the substrate, not Permafrost’s own controls — the distinction matters, and the table above keeps the two separate. Until our own certificate lands, the compensating controls below are the controls you can verify today.
ISO 42001 — AI management system
ISO 42001 is the emerging standard for an AI management system (AIMS). Permafrost is monitoring it as a roadmap item and is not certified. There are two distinct questions a reviewer should keep separate.
How Permafrost governs its own AI use: our analysis is deterministic and rule-based at its core, with clear boundaries on where any AI assistance is applied. As we formalize an AIMS, this surface will carry the dated status.
How Permafrost helps you govern your AI agents: agent identities (Entra Agent ID), blueprint inheritable-permission risk, per-agent blast radius, and dormant-agent reaping are a control surface for your own AI-governance program. That is mapped in detail on the Compliance & AI governance page.
SOC 2 — service trust criteria
SOC 2 is the attestation US-influenced and enterprise UK buyers ask for. Permafrost’s own SOC 2 audit is in progress; the table above carries the expected window. When a report or bridge letter is available, a buyer can request it under NDA through their account team.
One point reviewers routinely conflate: the in-product SOC 2 mapping is not Permafrost’s own attestation. Permafrost ships a compliance report that helps you evidence yourtenant’s posture against SOC 2 control areas. That is a feature for your audit — it says nothing about Permafrost’s own controls, which only an independent SOC 2 report attests.
Controls in place today
A certificate is a point-in-time attestation of controls. These controls hold now, are designed into the product, and several are verifiable from your side without taking our word for it.