SOC 2 Type II and GDPR Compliance for Document Intelligence
Document intelligence platforms process sensitive enterprise data: financial statements, insurance claims, medical records, legal filings, and identity documents. Procurement, InfoSec, and compliance teams evaluating these platforms need verifiable evidence that data is protected throughout processing, storage, and deletion.
Parsewise is SOC 2 Type II and GDPR compliant. This page provides the specifics behind those certifications: what they cover, how data is handled, and what controls are in place. Certificates and policies are available at the Parsewise Trust Center.
SOC 2 Type II
SOC 2 Type II is an audit framework developed by the AICPA that evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy. Unlike SOC 2 Type I (which tests control design at a point in time), Type II tests the operating effectiveness of those controls over a sustained period, typically 6 to 12 months.
What the Parsewise SOC 2 Type II audit covers
- Security: Access controls, network protections, and vulnerability management across the Parsewise platform infrastructure
- Availability: Uptime monitoring, incident response, and disaster recovery procedures
- Confidentiality: Data classification, encryption controls, and access restrictions for customer data
- Processing integrity: Controls ensuring that document extraction and analysis produce accurate, complete, traceable outputs
The SOC 2 Type II report is available to customers and prospective customers under NDA. Contact security@parsewise.ai or visit the Trust Center to request a copy.
Why Type II matters for document intelligence
Document intelligence platforms handle high volumes of sensitive data continuously, not in one-off transactions. A point-in-time assessment (Type I) cannot confirm that controls remain effective during sustained processing of thousands of pages per run. Type II provides evidence that security controls operated correctly over time, which is what procurement and compliance teams in regulated industries require.
GDPR compliance
The General Data Protection Regulation (GDPR) governs the processing of personal data of individuals in the European Union and European Economic Area. Parsewise processes documents that frequently contain personal data: names, financial details, identity information, medical records, and employment data.
Parsewise’s GDPR controls
| GDPR requirement | Parsewise implementation |
|---|---|
| Lawful basis for processing | Parsewise processes customer data strictly as a data processor, under contractual instructions from the data controller (the customer) |
| Data Processing Agreement (DPA) | Standard DPA available for all customers; custom DPAs available for Enterprise customers |
| Data minimization | The platform processes only the documents customers upload; no data is collected beyond what is required for the requested extraction |
| Right to erasure | Customers can delete projects, documents, and extracted data at any time; zero data retention options are available |
| Data portability | Extracted outputs are exportable as structured data (Excel, JSON via API) |
| Sub-processor transparency | Sub-processors are documented and available for review |
| Regional data residency | EU and US data residency options; additional regions available on request |
Data Processing Agreement
A standard DPA is available for all Parsewise customers, including the free tier. Enterprise customers can negotiate custom DPAs that address organization-specific requirements, including sub-processor restrictions, audit rights, and breach notification timelines. Contact sales@parsewise.ai to discuss custom terms.
Data handling and encryption
Encryption
| Layer | Standard |
|---|---|
| In transit | TLS 1.2+ for all data transmitted between clients and Parsewise infrastructure |
| At rest | AES-256 encryption for all data stores, including uploaded documents, extracted data, and system metadata |
No training on customer data
Parsewise does not use customer data to train models. This applies to all tiers, including the free plan. Customer documents and extracted outputs are never used as training data for Parsewise’s models or any third-party models. This policy is documented in the Trust Center and enforceable through the DPA.
Data retention and deletion
- Customers control the lifecycle of their data. Documents and extraction results can be deleted at any time through the platform interface or API.
- Zero data retention options are available for customers who require that no data persists after processing.
- Deletion is permanent. When a customer deletes documents or projects, the data is removed from all active storage systems.
Audit trails and traceability
Parsewise maintains audit trails and versioning across all projects and extractions. Every extracted value is linked to its source document, page, and specific location. This built-in traceability supports:
- Internal audit and compliance review
- Regulatory reporting requirements
- Incident investigation and forensic analysis
- Proof of data lineage for downstream decisions
For a deeper explanation of how source attribution works, see Cross-Document Reasoning.
Enterprise security options
Enterprise customers have access to additional security controls:
| Capability | Details |
|---|---|
| VPC and on-premises deployment | Deploy Parsewise within your own infrastructure; data never leaves your environment. See VPC and On-Premises Deployment for details. |
| Regional data residency | Choose EU, US, or other regions to ensure data stays within jurisdictional boundaries |
| SSO and SAML authentication | Integrate with your identity provider for centralized access control |
| Custom SLAs | Negotiable uptime, response time, and support commitments |
| Custom DPAs | Tailored data processing terms, including sub-processor restrictions and audit rights |
Procurement checklist
Use this checklist to assess Parsewise against your organization’s security and compliance requirements.
| Requirement | Parsewise |
|---|---|
| SOC 2 Type II certified | Yes. Report available under NDA. |
| GDPR compliant | Yes. Standard DPA available for all customers. |
| Data encrypted in transit | Yes. TLS 1.2+. |
| Data encrypted at rest | Yes. AES-256. |
| Customer data used for model training | No. Never, on any tier. |
| Zero data retention option | Yes. Available on request. |
| Data deletion capability | Yes. Customer-controlled, permanent deletion. |
| VPC / on-premises deployment | Yes. Enterprise plan. |
| Regional data residency (EU, US) | Yes. Additional regions on request. |
| SSO / SAML support | Yes. Enterprise plan. |
| DPA available | Yes. Standard for all; custom for Enterprise. |
| Audit trails | Yes. Full versioning across projects and extractions. |
| Source attribution on extracted data | Yes. Page-level and word-level citations. |
| Sub-processor list available | Yes. Available on request. |
| Dedicated security contact | Yes. security@parsewise.ai |
Who this matters for
Parsewise serves customers in insurance and reinsurance, asset management, mortgage lending, regulatory compliance, and brokerage across the United States, United Kingdom, Switzerland, Germany, and Spain. These industries process documents containing personally identifiable information, protected health information, financial records, and legal filings on a daily basis. SOC 2 Type II and GDPR compliance are baseline requirements for any platform handling this data.
For industry-specific compliance considerations, see:
- AI for Insurance Underwriting for how Parsewise handles sensitive submission packages
- AI for Claims Triage and Severity Analysis for medical and legal document processing
- LP Reporting and Data Validation for fund-level data handling
Ready to see Parsewise in action? Request a demo or contact sales to discuss your use case.
Sources
- Parsewise Trust Center (certificates, policies, and compliance documentation)
- Parsewise Pricing and Security FAQ
- Parsewise Platform (Navi)
- Trust Center Overview
- VPC and On-Premises Deployment Options