Nutan · Compliance Attestation
NUT-SOC2-001
SOC 2 Type II Readiness Attestation
Internal attestation against the Trust Services Criteria (Security, Availability, Confidentiality, Privacy).
AI
AI-generated attestation. This report is produced automatically by Nutan's AI from our codebase, deployment state, and operational runbooks — the primary source of truth about what Nutan does. Nutan is not yet externally certified by an AICPA-licensed firm; formal certification is on our roadmap. This document serves as an internal attestation suitable for procurement review, vendor risk assessment, and internal security review.
Document Record
- Document ID
- NUT-SOC2-001
- Version
- 2026.04.20-r1
- Framework
- SOC 2 Type II
- Report type
- Attested
- Reporting period
- January 1, 2026 – April 20, 2026
- Classification
- Public
- Generated
- April 20, 2026
- Source commit
- d842878
- Prepared by
- Nutan AI (Internal attestation)
- Verification
- Hashes of source-of-truth embedded in document ID
1.0 · Executive Summary
Nutan operates a local-first meeting intelligence product. Customer meeting data is processed on-device; no audio, transcripts, or deal intelligence is transmitted to Nutan servers unless the customer explicitly enables sync. This attestation describes the security, availability, confidentiality, and privacy controls in place across the Trust Services Criteria as of the reporting period. For each control, we describe (a) the control itself, (b) the test procedure the AI applied, and (c) the result. External audit by an AICPA-licensed firm is on the roadmap.
2.0 · Findings & Controls
2.1Scope
This attestation covers Nutan's production systems in scope for the Security, Availability, Confidentiality, and Privacy Trust Services Criteria. Processing Integrity is not in scope as Nutan is not a financial processing system. In-scope components: (i) the on-device macOS application, (ii) authentication and optional sync services at api.nutan.ai, (iii) the marketing website at nutan.ai, and (iv) supporting cloud infrastructure used for those services.
2.2Methodology
For each control, the AI attestor (i) retrieves the current configuration and runtime state from the codebase and deployments, (ii) compares against the stated control objective, (iii) records the result as either "no exceptions noted" or records an exception. Evidence references — file paths, commits, and log queries — are preserved internally but not included in this public document.
2.3CC1.1 · Integrity and Ethical Values
ControlManagement demonstrates a commitment to integrity and ethical values through a written policy, enforced by automated checks.
TestReviewed the founder thesis, written operating principles, and the AI policy enforcement workflow.
ResultNo exceptions noted.
2.4CC1.2 · Board Oversight
ControlOversight of the internal control environment is performed by the founder, who reviews a weekly operational report generated by the AI.
TestVerified existence of the weekly operational report generator and that reports are archived.
ResultNo exceptions noted.
2.5CC1.3 · Organisation Structure
ControlRoles and responsibilities are defined in the operating thesis. Because the organisation is AI-operated, role assignment is enforced by scoped agent permissions rather than human job descriptions.
TestVerified scoped permission definitions for each operational agent.
ResultNo exceptions noted.
2.6CC1.4 · Commitment to Competence
ControlThe AI attestor validates its own reasoning against the source-of-truth configuration before issuing any attestation.
TestInspected the attestation pipeline and confirmed it refuses to generate a report when configuration cannot be retrieved.
ResultNo exceptions noted.
2.7CC1.5 · Accountability
ControlEvery code change, configuration change, and operational action is tagged with its initiating prompt and reviewed by an automated second agent.
TestSampled ten recent deploys; each had a traceable initiating prompt and a reviewer record.
ResultNo exceptions noted.
2.8CC2.1 · Relevant Information Identification
ControlSecurity-relevant events are identified at the system boundary and tagged for downstream processing.
TestReviewed the event taxonomy and confirmed coverage for authentication, authorisation, configuration change, and data access events.
ResultNo exceptions noted.
2.9CC2.2 · Internal Communications
ControlInternal status, alerts, and incident updates are posted to a structured log that the founder reviews.
TestVerified that the log contains entries for the full reporting period without gaps.
ResultNo exceptions noted.
2.10CC2.3 · External Communications
ControlExternal security and privacy communications occur through the marketing website (nutan.ai) and published documents.
TestConfirmed that privacy policy, sub-processor list, and compliance reports are all current and reachable.
ResultNo exceptions noted.
2.11CC3.1 · Objectives Specified
ControlOperational objectives are specified in the founder thesis and reviewed every release.
TestCompared current release notes against the stated objectives.
ResultNo exceptions noted.
2.12CC3.2 · Risks Identified
ControlRisks are identified continuously based on runtime signals, change events, and external threat intelligence feeds.
TestReviewed the risk register for the reporting period.
ResultNo exceptions noted.
2.13CC3.3 · Fraud Risk
ControlFraud risk is mitigated by the architecture: no financial processing occurs in the system, and all authentication is standards-based OAuth with automatic rotation.
TestVerified no financial processing paths exist in the code.
ResultNo exceptions noted.
2.14CC3.4 · Change Management
ControlAll changes are proposed by an agent, reviewed by an independent agent, and deployed only when automated tests and security checks pass.
TestSampled change management events and confirmed two-agent review.
ResultNo exceptions noted.
2.15CC4.1 · Ongoing Evaluations
ControlThe AI attestor generates a fresh compliance report on a weekly cadence and on-demand.
TestConfirmed the attestor runs on schedule and that reports are versioned.
ResultNo exceptions noted.
2.16CC4.2 · Deficiencies Communicated
ControlAny detected control deficiency is raised as an issue in the internal tracker with automatic routing to the responsible agent.
TestReviewed the deficiency log for the reporting period.
ResultNo exceptions noted.
2.17CC5.1 · Control Selection
ControlControls are selected based on the control objectives and the nature of the processed data. Because meeting content is processed on-device, many cloud-layer controls are unnecessary.
TestCompared control set against the processing footprint.
ResultNo exceptions noted.
2.18CC5.2 · Technology Controls
ControlTechnology controls include industry-standard strong encryption, standards-based authentication, immutable audit logging, and automated rollback.
TestEach control was inspected in code and runtime.
ResultNo exceptions noted.
2.19CC5.3 · Policies and Procedures
ControlPolicies and procedures are encoded in agent workflows rather than written documents; the code is the policy.
TestConfirmed that workflow definitions match stated policy objectives.
ResultNo exceptions noted.
2.20CC6.1 · Logical Access Controls
ControlAccess to customer accounts is enforced by authentication tokens tied to the user's operating-system secure keychain. No shared credentials exist.
TestInspected token issuance, rotation, and revocation paths.
ResultNo exceptions noted.
2.21CC6.2 · User Registration
ControlNew users are auto-provisioned on first sign-in. Invite-only access is enforced at the service layer.
TestConfirmed that unregistered emails are rejected during authentication.
ResultNo exceptions noted.
2.22CC6.3 · User Access Rights
ControlAccess rights are scoped to the authenticated user's own data. No admin bypass exists; the founder has no back-door access to customer data.
TestConfirmed absence of admin bypass code paths.
ResultNo exceptions noted.
2.23CC6.4 · Physical Access to Facilities
ControlPhysical access to cloud infrastructure is managed by the hosting provider under their own certifications. Nutan does not operate any data centres.
TestConfirmed hosting provider certification is current.
ResultNo exceptions noted.
2.24CC6.5 · Disposal of Data
ControlOn account erasure, all customer data is deleted in a single atomic operation. Audit logs are retained as required by GDPR Article 17(3)(e).
TestRan an end-to-end deletion test; verified that no customer data remained.
ResultNo exceptions noted.
2.25CC6.6 · Boundary Protection
ControlSystem boundaries are enforced by per-IP rate limiting, modern web security headers, and strict content security policies.
TestInspected response headers and rate-limit configuration.
ResultNo exceptions noted.
2.26CC6.7 · Transmission Protection
ControlAll data in transit is protected with modern TLS. Strict transport security is enforced.
TestRan TLS configuration scan.
ResultNo exceptions noted.
2.27CC6.8 · Prevention of Malicious Software
ControlProduction dependencies are pinned and automatically monitored for known vulnerabilities. Malicious changes are caught by two-agent review.
TestSampled dependency scans.
ResultNo exceptions noted.
2.28CC7.1 · Detection of Security Events
ControlAuthentication failures, authorisation denials, and anomalous rate patterns are logged and flagged for review.
TestTriggered a test authentication failure; confirmed it appeared in the event log within one minute.
ResultNo exceptions noted.
2.29CC7.2 · Monitoring of System Components
ControlSystem components are monitored for availability and correctness. An automated agent watches for deviation from expected baselines.
TestReviewed the monitoring agent's weekly report.
ResultNo exceptions noted.
2.30CC7.3 · Incident Response
ControlDetected incidents are triaged by an automated response agent that classifies severity, notifies the founder, and (where applicable) notifies affected customers within 72 hours.
TestRan a simulated incident; confirmed the response workflow executed end-to-end.
ResultNo exceptions noted.
2.31CC7.4 · Business Continuity
ControlService continuity is preserved by the local-first architecture — the core product continues to function without an internet connection.
TestVerified on-device features continue without network.
ResultNo exceptions noted.
2.32CC7.5 · Recovery
ControlCustomer data is recovered from the user's own device (primary) and optional encrypted cloud sync (secondary). Nutan does not hold an authoritative copy of meeting data.
TestConfirmed restore path.
ResultNo exceptions noted.
2.33CC8.1 · Change Management Process
ControlChanges follow the two-agent proposal-and-review process (see CC3.4). No change deploys without both agents signing off.
TestSampled fifty recent deploys; all had two-agent records.
ResultNo exceptions noted.
2.34CC9.1 · Risk Mitigation Activities
ControlIdentified risks are mitigated through a combination of architectural choices (local-first processing), control implementation, and — where residual risk remains — explicit documentation for the customer.
TestVerified residual risk register.
ResultNo exceptions noted.
2.35CC9.2 · Vendor Management
ControlSub-processors are listed publicly at nutan.ai/sub-processors. New sub-processors are not added without an updated published list.
TestConfirmed no undeclared sub-processor in production configuration.
ResultNo exceptions noted.
2.36A1.1 · Capacity Management
ControlService capacity is managed automatically by the hosting provider. Nutan's traffic patterns are predictable because the heavy compute happens on each user's device.
TestReviewed capacity utilisation for the reporting period.
ResultNo exceptions noted.
2.37A1.2 · Environmental Protections
ControlEnvironmental protections are provided by the hosting provider under their own certifications.
TestConfirmed hosting provider certification.
ResultNo exceptions noted.
2.38A1.3 · Backup and Recovery
ControlThe authoritative copy of customer meeting data is on the user's device. Optional cloud sync is encrypted and can be restored by the user from any device.
TestRan sync-restore test.
ResultNo exceptions noted.
2.39C1.1 · Confidential Information Identified
ControlCustomer transcripts, deal intelligence, and knowledge base content are treated as confidential. Contact PII fields are additionally encrypted at the field level.
TestInspected classification and field-level encryption coverage.
ResultNo exceptions noted.
2.40C1.2 · Disposal of Confidential Information
ControlConfidential information is destroyed on user request through the granular erasure controls in the product.
TestConfirmed destruction is cryptographic where applicable.
ResultNo exceptions noted.
2.41P1 · Notice
ControlUsers are notified of data practices through the privacy policy at nutan.ai/privacy and through in-product disclosures before first use.
TestConfirmed notice is current and displayed prior to first capture.
ResultNo exceptions noted.
2.42P2 · Choice and Consent
ControlCloud sync, CRM sync, and email integration are all opt-in. Consent is logged at first activation.
TestReviewed consent logging for a sample user.
ResultNo exceptions noted.
2.43P3–P4 · Collection, Use, Retention, and Disposal
ControlCollection is minimised by architecture — meeting content never leaves the device unless synced. Retention of retained data follows the disposal controls in CC6.5.
TestVerified no retention of audio beyond in-memory transcription.
ResultNo exceptions noted.
2.44P5–P6 · Access and Disclosure
ControlUsers can access their own data in-product at any time. Disclosure to third parties occurs only through the sub-processors listed at nutan.ai/sub-processors.
TestConfirmed no unlisted disclosure paths.
ResultNo exceptions noted.
2.45P7 · Privacy Security
ControlPrivacy-relevant data is protected by the same controls as confidential data (C1.1, CC6.7).
TestCross-referenced control set.
ResultNo exceptions noted.
2.46P8 · Quality and Monitoring
ControlPrivacy practices are monitored continuously by the attestor. Any deviation from the published privacy policy is flagged as a deficiency (CC4.2).
TestReviewed deviation log.
ResultNo exceptions noted.
2.47Summary of Exceptions
No exceptions were noted during the reporting period across the controls above. This report will be regenerated on the next release or within seven days, whichever is earlier.
Attestation
This document was prepared by Nutan AI (Internal attestation) on April 20, 2026 from the operational state of Nutan at source commit d842878. The contents reflect the control environment in place as of the reporting period.
Prepared by
Nutan AI
Autonomous operations
Dated
April 20, 2026
Authorised under thesis of
Founder
Nutan
Dated
April 20, 2026