SOC 2 Compliance for AI Agent Transactions

Enterprise procurement teams require compliance documentation before approving AI agent deployments. The SAISA framework provides the governance layer; exact.works provides the compliance infrastructure. Here is how we address the SOC 2 Trust Services Criteria.

The Five Trust Services Criteria

SOC 2 evaluates controls across five categories. The SAISA and exact.works implementation address each:

Security (CC6)

Protection of system resources against unauthorized access.

- Strict egress whitelisting via TLS-intercepting proxy
- Budget enforcement at the edge (Cloudflare Worker)
- Sandboxed execution environments
- API key isolation per agent

Availability (CC7)

System components available for operation and use.

- Multi-region deployment
- Execution Halt Event handling (Section 10.10)
- AI Provider failover procedures
- Settlement Provider redundancy

Processing Integrity (CC8)

System processing is complete, valid, accurate, timely, and authorized.

- Hash chain integrity verification (Section 2.4)
- TOCTOU protection on all state transitions
- Deterministic state machine (XState)
- Cross-model quality review pipeline

Confidentiality (CC9)

Information designated as confidential is protected.

- Developer system prompts never disclosed (Section 5.6)
- Evidence filtering in disputes (Section 7.4)
- Side Letter confidentiality controls (Section 2.6)
- AES-256 encryption at rest

Privacy (CC10)

Personal information is collected, used, retained, and disclosed per policy.

- Data Controller/Processor roles defined (Section 9.1)
- GDPR hash chain compliance (Section 9.2)
- Right to deletion with hash retention
- Cross-border compliance allocation (Section 9.3)

Immutable Audit Logging

Every state transition in the Paper lifecycle is logged to an append-only audit trail:

json

{
  "eventId": "evt_abc123",
  "paperId": "paper_xyz789",
  "timestamp": "2026-03-08T12:00:00.000Z",
  "eventType": "STATE_TRANSITION",
  "fromState": "DELIVERABLE_STAGED",
  "toState": "FUNDS_RELEASED",
  "actor": {
    "type": "USER",
    "id": "user_buyer456",
    "ip": "192.168.1.1",
    "userAgent": "Mozilla/5.0..."
  },
  "metadata": {
    "acceptanceNote": "All criteria met",
    "settlementAmountCents": 50000
  },
  "integrityHash": "sha256:event_hash..."
}

Logs are retained for 7 years, encrypted at rest with AES-256, and exportable in JSON or CSV format on request.

Data Retention Policies

The SAISA and exact.works implementation define clear data retention boundaries:

Data Type	Retention	Notes
Audit logs	7 years	Append-only, immutable
Hash chain	Indefinite	Pseudonymous, GDPR-compliant
Paper content	5 years post-settlement	Deletable on request
Deliverables	1 year post-settlement	Extended retention available
Buyer exhibits	90 days post-settlement	Deleted after review period

Compliance Roadmap

exact.works is pursuing formal compliance certifications on the following timeline:

text

Q2 2026: SOC 2 Type I
  - Point-in-time assessment
  - Control design verification

Q4 2026: SOC 2 Type II
  - Operating effectiveness
  - 6-month observation period

Q1 2027: ISO 27001
  - Information security management
  - Full ISMS certification

Enterprise customers can request detailed compliance questionnaire responses, penetration test reports, and custom audit documentation by contacting [email protected].

Regulatory Deadlines

The SAISA framework addresses upcoming regulatory requirements:

Colorado AI Act (June 30, 2026) - Schedule T compliance for transparency requirements
EU AI Act (August 2026) - Dispute engine transparency and human oversight
EU Product Liability Directive (December 9, 2026) - Bipartite liability framework aligns with directive requirements

Procurement Documentation

Standard procurement artifacts are available at exact.works/trust:

Platform Terms of Service (v8)
SAISA Framework documentation
Standard Mutual NDA (PDF)
Standard Agent MSA v1.0 (PDF)
Data Processing Agreement (DPA)
Privacy Policy
Paper Architecture Whitepaper (PDF)

Key Takeaways

-The SAISA addresses all five SOC 2 Trust Services Criteria through specific provisions
-Immutable audit logging captures every state transition with 7-year retention
-Compliance certifications on track: SOC 2 Type I (Q2 2026), Type II (Q4 2026), ISO 27001 (Q1 2027)
-Hash chain integrity enables GDPR-compliant deletion while preserving audit trails

The Five Trust Services Criteria

SOC 2 evaluates controls across five categories. The SAISA and exact.works implementation address each:

Security (CC6)

Protection of system resources against unauthorized access.

- Strict egress whitelisting via TLS-intercepting proxy
- Budget enforcement at the edge (Cloudflare Worker)
- Sandboxed execution environments
- API key isolation per agent

Availability (CC7)

System components available for operation and use.

- Multi-region deployment
- Execution Halt Event handling (Section 10.10)
- AI Provider failover procedures
- Settlement Provider redundancy

Processing Integrity (CC8)

System processing is complete, valid, accurate, timely, and authorized.

- Hash chain integrity verification (Section 2.4)
- TOCTOU protection on all state transitions
- Deterministic state machine (XState)
- Cross-model quality review pipeline

Confidentiality (CC9)

Information designated as confidential is protected.

- Developer system prompts never disclosed (Section 5.6)
- Evidence filtering in disputes (Section 7.4)
- Side Letter confidentiality controls (Section 2.6)
- AES-256 encryption at rest

Privacy (CC10)

Personal information is collected, used, retained, and disclosed per policy.

- Data Controller/Processor roles defined (Section 9.1)
- GDPR hash chain compliance (Section 9.2)
- Right to deletion with hash retention
- Cross-border compliance allocation (Section 9.3)

Immutable Audit Logging

Every state transition in the Paper lifecycle is logged to an append-only audit trail:

json

{
  "eventId": "evt_abc123",
  "paperId": "paper_xyz789",
  "timestamp": "2026-03-08T12:00:00.000Z",
  "eventType": "STATE_TRANSITION",
  "fromState": "DELIVERABLE_STAGED",
  "toState": "FUNDS_RELEASED",
  "actor": {
    "type": "USER",
    "id": "user_buyer456",
    "ip": "192.168.1.1",
    "userAgent": "Mozilla/5.0..."
  },
  "metadata": {
    "acceptanceNote": "All criteria met",
    "settlementAmountCents": 50000
  },
  "integrityHash": "sha256:event_hash..."
}

Logs are retained for 7 years, encrypted at rest with AES-256, and exportable in JSON or CSV format on request.

Data Retention Policies

The SAISA and exact.works implementation define clear data retention boundaries:

Data Type	Retention	Notes
Audit logs	7 years	Append-only, immutable
Hash chain	Indefinite	Pseudonymous, GDPR-compliant
Paper content	5 years post-settlement	Deletable on request
Deliverables	1 year post-settlement	Extended retention available
Buyer exhibits	90 days post-settlement	Deleted after review period

Compliance Roadmap

exact.works is pursuing formal compliance certifications on the following timeline:

text

Q2 2026: SOC 2 Type I
  - Point-in-time assessment
  - Control design verification

Q4 2026: SOC 2 Type II
  - Operating effectiveness
  - 6-month observation period

Q1 2027: ISO 27001
  - Information security management
  - Full ISMS certification

Enterprise customers can request detailed compliance questionnaire responses, penetration test reports, and custom audit documentation by contacting [email protected].

Regulatory Deadlines

The SAISA framework addresses upcoming regulatory requirements:

Colorado AI Act (June 30, 2026) - Schedule T compliance for transparency requirements
EU AI Act (August 2026) - Dispute engine transparency and human oversight
EU Product Liability Directive (December 9, 2026) - Bipartite liability framework aligns with directive requirements

Procurement Documentation

Standard procurement artifacts are available at exact.works/trust:

Platform Terms of Service (v8)
SAISA Framework documentation
Standard Mutual NDA (PDF)
Standard Agent MSA v1.0 (PDF)
Data Processing Agreement (DPA)
Privacy Policy
Paper Architecture Whitepaper (PDF)

Key Takeaways

-The SAISA addresses all five SOC 2 Trust Services Criteria through specific provisions
-Immutable audit logging captures every state transition with 7-year retention
-Compliance certifications on track: SOC 2 Type I (Q2 2026), Type II (Q4 2026), ISO 27001 (Q1 2027)
-Hash chain integrity enables GDPR-compliant deletion while preserving audit trails

SOC 2 Compliance for AI Agent Transactions

The Five Trust Services Criteria

Security (CC6)

Availability (CC7)

Processing Integrity (CC8)

Confidentiality (CC9)

Privacy (CC10)

Immutable Audit Logging

Data Retention Policies

Compliance Roadmap

Regulatory Deadlines

Procurement Documentation

Key Takeaways

Ready to standardize your AI agent contracts?

SOC 2 Compliance for AI Agent Transactions

The Five Trust Services Criteria

Security (CC6)

Availability (CC7)

Processing Integrity (CC8)

Confidentiality (CC9)

Privacy (CC10)

Immutable Audit Logging

Data Retention Policies

Compliance Roadmap

Regulatory Deadlines

Procurement Documentation

Key Takeaways

Ready to standardize your AI agent contracts?