SECURITY & CERTIFICATIONS

Audited end to end. The same posture for 3,000+ clients.

Askable Labs runs on Askable's production platform. The Integrated Management System that serves 3,000+ clients across banking, health insurance, and other regulated industries underpins every sample in the catalogue, externally attested under SOC 2 Type II and certified to ISO/IEC 27001:2022, 27701:2019, and 42001:2023. Public certificates and the full controls catalog live on the trust portal.

Operating since
20179 years in production
IMS audit cadence
Annualplus continuous monitoring
Frameworks
84 certified, 4 supporting
Trust portal
trust.askable.com
COMPLIANCE

Four certifications carrying the platform. Four more reinforcing it.

External attestations and certifications held by Askable apply directly to Askable Labs. The lab runs on Askable's production platform, not a parallel one. Everything below is testing the same Integrated Management System.

Public certificates are downloadable from the trust portal. The SOC 2 Type II report, penetration test summary, and ISMS policies are released under MNDA via the portal's request flow.

ISO 27001:2022 certified by Sustainable Certification

ISO/IEC 27001:2022

Certified

Information Security Management System. The international baseline for information security.

ISO 27701:2019 certified by Sustainable Certification

ISO/IEC 27701:2019

Certified

Privacy Information Management System. Extends ISO 27001 with privacy-specific controls for participant data.

ISO 42001:2023 certified by Sustainable Certification

ISO/IEC 42001:2023

Certified

AI Management System. Governance for the responsible development and deployment of AI systems.

AICPA SOC 2 Type 2

SOC 2 Type II

Attested

Independent auditor attestation covering security, availability, and confidentiality over an audit window.

UK Cyber Essentials Certified
UK Cyber Essentials
UK government-backed certification confirming essential cybersecurity controls are in place.
NCSC scheme
Certified
Wiz Cloud Security Excellence
Wiz Cloud Security Excellence
Zero critical issues across the cloud posture, continuously monitored by Wiz.
Continuous
Recognized
GDPR compliant
GDPR
EU privacy regulation. Lawful basis, consent versioning, and data-subject rights handled in code.
EU/EEA participants
Compliant
CCPA compliant
CCPA
California privacy regulation. Disclosure, opt-out, and deletion rights honored.
California participants
Compliant
View certificates & evidence on trust portal →
SESSION LIFECYCLE

Where the controls live.

Recruitment, consent, capture, tagging, review, and delivery are code paths on one audited system, not procedures stitched across spreadsheets. Every action is authenticated, authorized, and logged on the same platform.

The six stages below each surface the controls enforced in code and the framework families that audit them.

Session lifecycle, controls in code enforced & logged
01

Recruit

Participant matched to a brief via Askable's panel. Identity verified at recruitment and re-verified at session.
SSO + MFAtenant-isolatedidentity re-verification
Audited by
ISO 27001 · SOC 2
02

Consent

Brief-specific consent presented and recorded. Versioned. Withdrawable until release.
versioned recordtamper-evident loggranular scope
Audited by
ISO 27701 · GDPR · CCPA
03

Capture

Session recorded against the consented brief. Encrypted in transit and at rest. Tenant-isolated by partner.
AES-256 at restTLS 1.3 in transitper-partner key
Audited by
ISO 27001 · SOC 2 · Cyber Essentials
04

Review

Internal reviewer applies tagging and segmentation. Access scoped to brief. Every action logged.
role-scopedleast-privilegeaudit log
Audited by
ISO 27001 · SOC 2 · ISO 42001
05

Deliver

Structured batch delivered into the partner's environment. Schema co-versioned. Audit trail handed across.
signed manifestpartner-side auditschema versioning
Audited by
ISO 27001 · SOC 2
06

Retire

After the retention window or on withdrawal of consent, source material is cryptographically destroyed on our side and the request is relayed to the partner.
crypto-shredpartner notification
Audited by
ISO 27701 · GDPR · CCPA
FAQ

The questions a vendor review usually opens with.

The full FAQ, controls catalog, subprocessor list, updates timeline, and gated evidence requests live on the trust portal. Below are the three questions we get most often that don't fit cleanly into a security questionnaire.

Where is participant and session data stored?

Primary processing happens in AWS Australia. Specific regions per data class are documented in the subprocessor inventory on the trust portal. Partner-isolation, encryption at rest, and TLS in transit apply at every layer.

Can we get the SOC 2 Type II report, pen test summary, and ISMS policies?

Yes. Public certificates (ISO 27001, 27701, 42001, UK Cyber Essentials) are downloadable directly from the trust portal. The SOC 2 Type II report, penetration test summary, and internal policies are released under MNDA via the portal's "Request access" flow. Standard turnaround is under two business days.

What happens if a participant withdraws consent after a session has been delivered?

Source material on our side is cryptographically destroyed within the SLA. We relay the withdrawal request to the partner, but enforcement against material already ingested into the partner's environment is at their discretion under the partnership terms. This boundary is made explicit in the contract.

FULL TRUST CENTER

Detailed evidence, control mappings, subprocessors, and updates.

The trust portal is the live source of truth. It mirrors the live state of the production posture and is updated as the IMS changes.

Certificates
Every active certificate viewable and downloadable.
Controls catalog
Active controls listed by category, mapped to frameworks.
Subprocessors
Every subprocessor named with region and function.
Updates
Material posture changes logged in reverse chronological order.
Open the trust portal Email the security team
Direct: trust.askable.com  ·  security@askable.com