Trust & Security

Built to pass enterprise procurement.

Telepathy handles employee data on day one, so security is a feature, not an afterthought. Here's exactly where we are on the certifications buyers like Klarna, Spotify and mid-market tech companies ask for — and when each one lands.

GDPR + DPA

Live

Standard Data Processing Agreement, EU data residency option, sub-processor list and DSR workflow.

Available today

SOC 2 Type I

In progress

Point-in-time attestation of security controls. Required by most US mid-market and enterprise buyers.

Audit in ~6–10 weeks

SOC 2 Type II

Planned

Continuous control evidence over a 3–12 month window. Klarna, Spotify and similar buyers expect this for production data.

6–9 months after Type I

ISO 27001

Planned

International ISMS certification. Strongly preferred by EU enterprises and procurement teams in the Nordics.

9–12 months

What this costs us (and why it matters to you)

SOC 2 Type I + II

$25k–$60k

Year-1 audit, automation tooling (Vanta / Drata / Secureframe), policy work.

ISO 27001

$35k–$120k

3-year cycle including Stage 1 + Stage 2 audit and surveillance.

Typical timeline

6–12 mo

From first policy commit to a signed Type II report a buyer can forward to their CISO.

Standard procedure

1. Scope the system + pick framework (SOC 2 first for US, ISO 27001 first for EU).
2. Implement controls: access reviews, MFA, encryption, logging, vendor mgmt.
3. Run a readiness assessment with a CPA / certification body.
4. Type I audit (point-in-time) → 6–10 weeks.
5. Observation window → Type II report (3–12 months of evidence).
6. Ship the report + DPA + sub-processor list to procurement.

Buyer questionnaires we can answer today

SIG Lite
CAIQ v4
VSA Core
Custom security questionnaire

Need a signed NDA, DPA, pen-test letter, or our trust packet? Email security@telepathy.example.