Newsroom

Apr 24

Written By

Justin Lee

Detect Achieves SOC 2 Type II Compliance 2026

Utilities, drone service providers, and powerline contractors send Detect some of the most sensitive data in their operations - high-resolution imagery of live transmission and distribution assets, defect classifications, and the risk calls that follow. That data deserves controls that match.

So we got audited.

Detect has completed a SOC 2 Type II audit in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations, also known as SSAE 18. The audit was performed by Prescient Security, an independent, AICPA-accredited CPA firm. The report is clean. No exceptions.

Here's what SOC 2 Type II compliance actually means, and why it matters to the people who send us their data.

What SOC 2 Type II tests

A SOC 2 Type I report checks that the right security controls exist on a given day. SOC 2 Type II is the harder version. An independent auditor watches those controls run over an observation window, pulls real evidence throughout, and renders an opinion on whether they operated effectively over time.

Our SOC 2 audit covered the Security Trust Services Criterion - the foundational category every SOC 2 report is built on. Over the observation window, the audit looked at:

  • how customer data moves through our systems
  • who has access to what, and how access is granted, reviewed, and revoked
  • how we monitor for anomalies and respond to security incidents
  • how we evaluate the vendors in our own stack
  • how we onboard and offboard our team
  • how changes to production are reviewed, approved, and logged

Each area is made up of specific controls. Each control had to be designed correctly and operate correctly. For the full window. With evidence.

We passed all of them.

Why SOC 2 Type II compliance matters if you run a utility

Utilities operating Bulk Electric System Cyber Systems are required under NERC CIP-013 to maintain a documented supply-chain cybersecurity risk management plan for their vendors. It is not optional. Penalties run up to $1 million per day per violation.

Your security team has to assess vendors like Detect. The North American Transmission Forum's CIP-013 implementation guidance names independent third-party assessments as an acceptable means of complying with vendor risk-management requirements - and a SOC 2 Type II report from a licensed CPA firm is exactly that kind of assessment.

In plain terms: our SOC 2 Type II report provides third-party-attested evidence your reviewers can reference for the access control, incident response, vendor management, and change management portions of your CIP-013 vendor assessment. Fewer questionnaire rounds. Shorter procurement cycle. Less friction between your security team and the utility asset management software your operations team needs.

The SOC 2 Type II report is a restricted-use document. We share the signed report under NDA with customers and prospects engaged in a vendor security review. Ask your Detect point of contact and you will have it the same day.

Why SOC 2 Type II matters if you are a DSP or contractor

If you capture or process imagery for a utility, you are inside that utility's supply chain. Their CIP-013 program looks at your software stack too.

The next time a utility asks "who processes your inspection imagery, and what are their security controls?" - you have an answer with third-party evidence behind it. That is the kind of detail that separates the drone service provider who wins the transmission inspection contract from the one who submits a great price and hears nothing back.

SOC 2 audit scope: what we covered and what we didn't

A SOC 2 Type II announcement that skips the scope is incomplete. Here is ours.

Trust Services Criteria. We audited against the Security TSC. Security is the common criteria every SOC 2 Type II report covers. The other four optional Trust Services Criteria - Availability, Processing Integrity, Confidentiality, and Privacy - are evaluated based on customer need. We will assess each for future SOC 2 audit cycles.

Observation window. This first SOC 2 Type II report covers a three-month observation window. Our next audit cycle runs twelve months, which provides stronger evidentiary weight for enterprise vendor management programs.

Continuous compliance: what's next

Our next SOC 2 Type II observation window starts the day after this one closed. The controls we were tested against run every day between audits - monitored by our GRC platform, reviewed by our team, and stress-tested by the inspection work our customers send us.

A SOC 2 Type II report is a snapshot. The system is what matters. We will go through this audit again next year, and the year after that. That is the cost of earning the kind of trust utility data deserves.

Credits

Thanks to Prescient Security for a thorough SOC 2 audit, to our GRC platform for keeping evidence collection continuous, and to the Detect team for the unglamorous work behind a clean report.

If you want to review the report or have questions about a specific control, reach out!

Get a Free Utility Audit