SECURITY & CERTIFICATIONS

Security is enforced by the platform. Verified by independent audit.

This page is written for the partnerships lead, the procurement office, and the security reviewer. It lists every active certification, the scope of each, the data lifecycle, the subprocessor inventory, and a direct contact for the security team. Everything here is verifiable.

Active certifications
4
Years operating
8+
Reportable incidents
0
Audit cycle
Annual surveillance

The posture, in one paragraph.

Askable runs as a production platform. Recruitment, consent, capture, tagging, review, and delivery are code paths, not procedures. Every action is authenticated, authorised, and logged on the same audited system. The certifications below describe the same posture viewed from four different standards.

Eight years of operating that platform. The system has been audited every year for the last seven. The compound effect — controls, evidence, maturity — is what frontier-lab vendor review is actually looking for.

Four certifications. Together they describe the posture.

Held in combination — not separately. ISO 27001 is the information security baseline. ISO 27701 extends it with participant-data handling. ISO 42001 governs the production of AI training material specifically. SOC 2 Type II is the independent attestation format US enterprise procurement expects to see.

Each certificate lists its scope and an issuing body. We do not hold any of these in draft or "in progress" — every active certificate is current and verifiable.

ISO/IEC 27001 Information Security Management System Continuously certified since 2019

The baseline. Every production system in scope.

The international standard for information security management. The statement of applicability covers our entire production estate — capture infrastructure, participant database, reviewer tooling, delivery pipeline, and corporate identity. Nothing operational sits outside scope.

Surveillance audit each year. Re-certification audit every three years. The 2025 cycle was completed by BSI in April.

  • Annex A controls implemented in full
  • Risk register reviewed quarterly by the audit committee
  • Internal-audit programme runs continuously between external audits
  • Incident response plan tested twice yearly
ISO/IEC 27701 Privacy Information Management System Extension to 27001 · since 2022

For the participant data — every consent, every withdrawal.

Layered on top of 27001. Adds the specific control set that frontier-lab partnerships actually care about: how participant data is captured, lawfully processed, retained, accessed, exported, and deleted. The PII controller relationships are documented per capture brief; the PII processor relationships are documented per partner.

The extension matters because much of the training-data industry is operating on corporate-confidentiality controls only, and participant-data handling is a different risk class.

  • Consent capture is versioned per brief
  • Withdrawal pathway tested quarterly
  • Subject-rights requests handled in ≤14 days end-to-end
  • DPIA on file for every active capture programme
ISO/IEC 42001 AI Management System Certified 2025-09

The standard built for the work we do.

The newest of the four, and the one most directly relevant to the lab's work. ISO 42001 is the first international standard for AI management systems, covering the governance, risk management, and lifecycle controls for organisations producing AI components — including training data.

Held in addition to 27001 and 27701, not as a replacement. Together they describe a posture suitable for handling participant material that will be used to train consequential models.

  • AI risk-impact assessment per capture programme
  • Training-data lineage tracked from session to delivered sample
  • Annex-control implementation reviewed quarterly
  • Third-party AI components inventoried and approved
SOC 2 Type II Trust Services Criteria report Continuous since 2020

The attestation format US enterprise procurement expects.

An independent attestation rather than a certificate, covering the AICPA Trust Services Criteria. Type II reflects that controls have been tested over a continuous reporting window, not just designed at a point in time.

The 2025 report covers a 12-month window ending June 30, with no exceptions reported. Available under MNDA to procurement and security teams; we'd rather send the actual report than a marketing summary.

  • Trust Services Criteria: Security · Availability · Confidentiality · Privacy
  • Report window: 2024-07 to 2025-06
  • Independent auditor: A-LIGN
  • Available under MNDA · turnaround ≤ 2 working days

The data lifecycle, end to end.

Each step below is a code path on the platform. The control list on the right of each row names the specific platform-level enforcement, not a procedural commitment.

Region: by default, all participant-data residency is Australia. EU and US residency options available on partnership scope. Cross-region transfer requires explicit partner-side authorisation.

Session lifecycle — controls in code enforced & logged
01

Recruit

Panel member matched to a brief. Identity verified at recruitment, re-verified at session.
SSO + MFAtenant-isolated
Participant data · AU region default
02

Consent

Brief-specific consent presented and recorded. Versioned. Withdrawable until release.
versioned recordtamper-evident log
Consent record · retained 7 years
03

Capture

Session recorded against the consented brief. Encrypted in transit and at rest. Tenant-isolated.
AES-256 at restTLS 1.3 in transitper-partner key
Raw artefact · partner-region storage
04

Review

Internal reviewer applies tagging and segmentation. Access scoped to brief. Every action logged.
role-scopedleast-privilegeaudit log
Reviewer access · revocable in < 60s
05

Deliver

Structured batch delivered into the partner's environment. Schema co-versioned. Audit trail handed across.
signed manifestpartner-side audit
Retention · partner-configured
06

Retire

After the retention window or on withdrawal, source material is cryptographically destroyed and the deletion is attested.
crypto-shredattestation
Withdrawal SLA · 14 days end-to-end

Subprocessors.

The full subprocessor list, kept current. Each entry includes the function performed, the data class touched, the region, and the date the subprocessor was onboarded. We don't add a subprocessor without a documented review.

Notify-on-change. Partner accounts receive 30-day advance notification of any change to this list.

Subprocessor Function Data class Region Since
Amazon Web Services Primary cloud infrastructure All AU · EU · US 2017-03
Cloudflare Edge security & CDN Metadata only Global edge 2019-08
Datadog Observability & telemetry System telemetry EU 2021-02
Stripe Participant payments Limited PII Per-region 2018-11
Okta Workforce identity Internal user only US 2020-06
1Password Credential management Internal secrets CA 2018-04

The questions a vendor review usually opens with.

If your standard intake form has 200 questions, most of them are answered above. These are the ones we get asked most often that don't fit cleanly into the form.

If you'd rather skip the form, send your security checklist directly to security@askablelabs.com and we'll respond in a single pass.

Where does participant data live by default?

Australia. Per-partner region selection is available — EU (Ireland), US (us-east-1, us-west-2). Cross-region transfer requires partner authorisation.

Can you delete a participant's contributions after delivery?

Yes. Withdrawal is supported up to and after delivery. The end-to-end SLA on withdrawal — including cryptographic destruction on our side and the request relayed to the partner — is 14 days.

What encryption?

AES-256 at rest with per-partner KMS keys. TLS 1.3 in transit. Customer-managed keys available on partnership scope. No production data is ever held unencrypted.

How do you handle access?

Role-scoped, least-privilege, SSO + MFA. Every privileged action is logged with actor, action, and resource. Access for any reviewer is revocable in under 60 seconds.

What happens in an incident?

Documented incident-response plan, tested twice per year. Material partner-affecting incidents are notified within 24 hours; zero have been reportable since the platform began operating.

Do you train any of your own models on participant data?

No. Participant material is captured, structured, and delivered to partners. We do not train internal models on it, and the platform enforces this at the data-egress layer.

Can you sign an MNDA before sharing the SOC 2 report?

Yes. The SOC 2 Type II report is available under MNDA within two working days of signature. Standard MNDA template is at /legal/mnda.

SECURITY CONTACT

Direct line to the team that owns this.

Vendor reviews, certificate requests, SOC 2 report under MNDA, or anything you need to clear an enterprise security review — go directly to the security team.

security@askablelabs.com Use the form
PGP key fingerprint: A2D4 91F2 7CC0 8E55 · 4B6F BFAE 9E0F 2210 · 73AC 6B8D
Bug bounty: /security/responsible-disclosure