Security is fundamental to what we do
AI implementations touch the most sensitive aspects of an organization. When companies trust us with critical projects, we honor that trust with independently verified security controls.
SOC 2 Type 1
Civic achieves SOC 2 Type 1 compliance
Proving our commitment to security, trust, and protecting sensitive data for AI-powered teams.
Civic has achieved SOC 2 Type 1 compliance, underscoring our commitment to protecting client data and maintaining the highest security standards across our company.
SOC 2 Type 1 compliance, established by the American Institute of Certified Public Accountants (AICPA), evaluates our security controls and practices at a specific point in time. This attestation confirms our controls are suitably designed to meet rigorous industry standards as of the audit date. It covers three critical trust service criteria: security, availability, and confidentiality.
The pre-audit process involved extensive evaluation of our internal controls, security policies, and operational procedures. Independent auditors examined our data handling practices, access controls, system monitoring, and incident response capabilities. This thorough review confirmed that our controls were suitably designed to meet the SOC 2 criteria, aligning with recognized security and compliance standards.
Our compliance extends beyond meeting audit requirements. We've integrated security considerations into every aspect of our business, from initial client assessments through project delivery and ongoing support. Security remains a priority throughout the entire engagement lifecycle.
Google CASA Tier 2
Civic passes Google CASA Tier 2 security assessment
Secure integrations start with secure code.
Civic passed Google's Cloud Application Security Assessment (CASA) Tier 2 certification. An authorized third-party lab tested our platform against key security requirements mandated by the App Defense Alliance's Tier 2 standard, which is based on OWASP ASVS v4.0, and found no high-risk vulnerabilities. The App Defense Alliance, led by Google, Meta, and Microsoft, administers this assessment.
CASA Tier 2 evaluates application security controls across 14 critical security categories. Independent assessors examined our API security, access controls, data handling practices, cryptographic implementations, and authentication flows. They mapped our code against common weakness enumerations with high exploit potential and verified compliance with OWASP ASVS Level 2 requirements.
Supply chain security has become central to enterprise risk management. Organizations now face requirements to verify the security posture of every vendor in their technology stack. CASA Tier 2 gives clients concrete evidence for stakeholder reviews and audit requirements — an official Letter of Validation (LoV) rather than self-certification.
For the assessment, our engineering and security teams enhanced secure coding practices, strengthened continuous security testing, and refined threat modeling processes. The lab conducted Dynamic Application Security Testing (DAST), reviewed our source code using Static Application Security Testing (SAST), and validated our defenses against the OWASP Top 10 and beyond.
Questions about our security practices?
If you are interested in learning more about our security practices or how our compliance supports your AI initiatives and regulatory requirements, we encourage you to reach out directly.
Contact us