SOC 2 Compliance Status

EDA is currently undergoing an independent SOC 2 Type II audit with expected completion and formal attestation by November 2025. All required control policies are implemented and operating in alignment with the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. We conduct internal readiness reviews, third-party assessments, and continuous monitoring to validate ongoing compliance.

Governance & Risk Management

Our Enterprise Risk Management Program defines oversight by executive leadership and regular risk assessments of systems, vendors, and data assets. Policies are reviewed at least annually and approved by EDA’s Chief Technology Officer.

Information Security Controls

1. Privilege enforcement, SSO, and multi-factor authentication for all administrative systems. User access is reviewed quarterly and revoked within 24 hours of termination.
2. Encryption: All client data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Encryption keys are managed and rotated securely using controlled key-vault mechanisms.
3. Network Protection: Perimeter firewalls, intrusion detection, and traffic-filtering are maintained per the Network Security Policy. 24×7 monitoring detects anomalies and unauthorized activity.
4. Logging & Monitoring: All access, system, and administrative events are logged, aggregated, and analyzed through a centralized SIEM for proactive alerting and forensic review.
5. Vulnerability Management: Automated scanning and patching occur on a scheduled cadence; external penetration testing is performed annually.
6. Change Management: All production changes follow documented approval, testing, and rollback procedures per the Change Management Policy.
7. Backup & Recovery: Encrypted backups occur daily within Microsoft Azure’s U.S. regions, stored redundantly and tested for recovery per the Backup Policy and Business Continuity Plan.
8. Incident Response: An established response plan defines detection, escalation, and client communication steps. Security incidents are logged, investigated, and reported promptly to affected parties if required by law.

Data Classification, Retention & Disposal

EDA classifies data by sensitivity and applies corresponding controls per the Data Classification Policy. Client data is retained only as necessary for contractual or regulatory purposes and securely destroyed in accordance with the Data Retention Policy and Backup Policy.

Vendor & Third-Party Security

All third-party providers undergo due diligence and contractual security review prior to engagement. Vendors handling client information must meet equivalent data-protection standards and are reevaluated annually.

Business Continuity & Disaster Recovery

EDA maintains an enterprise Business Continuity Plan to ensure resilience and minimize service interruption. Recovery procedures are tested annually and supported by geographically redundant cloud infrastructure.

Privacy & Client Responsibilities

EDA complies with applicable privacy frameworks including GDPR and CCPA. Client data remains the property of the client and is never sold or repurposed. Security within a client’s own network or environment remains the client’s responsibility under our shared-responsibility model.

Contact & Reporting

Questions about our security program or a copy of our forthcoming SOC 2 report (available under NDA once complete) may be directed to:info@executivedevelopment.com

Effective Date: October 2025
Next Review: Upon SOC 2 Type II completion (target November 2025)
Revision History
Version 1.0
Modification Date: 4/28/2025

EDA, Inc.
Phone: 405.751.3300 | (866) 393.2338
Email: info@executivedevelopment.com
Web: www.edainc.io