Capy Is SOC 2 Type II Certified
Capy is SOC 2 Type II certified.
Most SaaS tools store your data passively. Capy's agents read your private codebase, execute code, and push commits on your behalf. The security bar for that kind of access has to be higher — and now it's independently verified.
Type I vs. Type II
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of CPAs. It evaluates how a company manages and protects customer data across trust service criteria — security, availability, processing integrity, confidentiality, and privacy — with security being the mandatory baseline.
SOC 2 Type I is a point-in-time assessment. Auditors verify that the right controls are in place and properly designed — a snapshot.
SOC 2 Type II evaluates whether those controls operate effectively over an extended observation period, typically six to twelve months. Not "do you have the right locks?" but "did you lock the door, every day, for the last six months?"
We went straight for Type II. Type I tells you we set things up correctly. Type II proves we run them correctly.
Why the bar is higher for AI agents
When an AI agent reads your repository, it sees everything: proprietary business logic, internal APIs, environment variables, credentials, commit history. When it executes code, it's running arbitrary commands inside an environment connected to your stack. When it pushes a PR, it's making changes to production-bound code.
That's a qualitatively different trust surface than a tool that stores a document or syncs a calendar. The auditors knew it, and so did we.
The controls SOC 2 Type II required us to prove, over six months of evidence, included:
Code execution isolation: Each Build agent task runs in an ephemeral, isolated VM. Environments are created fresh for each task and torn down on completion. Auditors verified that no data leaks between tasks or between customers, and that agents can't traverse into broader infrastructure.
Credential and secret handling: Auditors examined how we scope, store, and expire GitHub OAuth tokens, workspace credentials, and API keys. They confirmed secrets are never written to logs, never persisted beyond their intended use, and that access revocation is immediate.
Access controls and least privilege: Every integration — GitHub, Slack, third-party tools — is scoped to the minimum permissions needed. Auditors reviewed months of access logs to verify continuous enforcement, not just policy documentation.
Change management: Capy proposes code changes; humans approve before anything merges. Auditors examined our own internal deployment pipeline — every code change to Capy itself going through the same review gates we ask our customers to use.
Incident detection and response: Every security event over the six-month observation period was reviewed. Detection times, escalation procedures, customer notification processes, post-incident documentation. The question wasn't whether we had a runbook — it was whether we followed it.
What this means for you
For enterprises: SOC 2 Type II is a standard vendor requirement in healthcare, finance, legal, and government procurement. Our report is available on request. Email security@capy.ai and we'll share it under NDA.
For everyone: Whether your team is three engineers or three hundred, you're using an AI agent with elevated access to your codebase. Those controls protect your code, your secrets, and your customers — regardless of your size or industry.
Going forward: SOC 2 Type II is the foundation, not the ceiling. We'll maintain continuous compliance, run annual audits, and expand our security posture as Capy's capabilities grow.
Trusting Capy to work in your codebase means trusting it with your most sensitive engineering assets. SOC 2 Type II gives that trust an independent foundation — not our word, but six months of auditor verification.
Build with confidence.
Capy is SOC 2 Type II certified. AI agents in your codebase, backed by independent security verification.
