How Kalam Is SOC 2 Compliant and ISO 27001 Ready
Security certifications are not badges — they are engineering constraints. Here is exactly what SOC 2 and ISO 27001 mean, what controls Kalam has built, and why it matters for businesses in regulated industries across the Arab world.
What SOC 2 and ISO 27001 actually mean
Most security claims in the software industry are marketing copy. "Enterprise-grade security" and "bank-level encryption" are phrases that mean nothing without third-party verification. SOC 2 and ISO 27001 are different: they are audited standards with specific, enumerated controls.
SOC 2 Type II
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 evaluates a company's controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II means the audit covers a period of time (typically 6–12 months), not just a single point-in-time snapshot. An independent auditor reviews logs, access controls, incident records, and processes — then issues a report that enterprise customers can request.
ISO 27001
The international standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization. ISO 27001 requires organizations to systematically identify information security risks and implement controls from Annex A — a catalogue of 93 controls covering everything from physical security and access management to cryptography and supplier relationships. Certification is granted by an accredited body after a two-stage audit and is renewed every three years with annual surveillance audits.
Together, they represent the two most widely recognized security frameworks for cloud software. SOC 2 is the de-facto standard in North America; ISO 27001 carries the most weight in Europe, the Middle East, and regulated sectors worldwide.
Kalam's security controls
Controls in place today
Encryption in transit and at rest
All traffic between clients and our infrastructure is encrypted with TLS 1.3. Conversation data stored in the database is encrypted at rest. Encryption keys are managed separately from encrypted data and rotated on a defined schedule. Even if the underlying storage were breached, plaintext conversations would not be exposed.
Least-privilege access control
Production systems are accessible only to named individuals with a documented business need. Access is granted through short-lived credentials, not standing privileges. All privileged access is logged and reviewed. No single engineer has unilateral access to both production infrastructure and user data without a peer-reviewed change request.
Immutable audit logs
Every authentication event, data access, infrastructure change, and API call is written to tamper-evident append-only logs. Logs are retained for 12 months and shipped to isolated storage that the application layer cannot modify or delete. This is a prerequisite for both SOC 2 evidence collection and ISO 27001's logging and monitoring controls.
Formal incident response plan
We maintain a written incident response playbook that defines severity levels, response timelines (P0 incidents: 15-minute response), escalation paths, and post-incident review requirements. Security incidents are tracked to resolution with root-cause analysis. Affected users are notified within 72 hours of a confirmed breach — aligning with GDPR Article 33 even for non-EU users.
Annual penetration tests
An independent third-party security firm conducts penetration tests of our web application and infrastructure annually, and after any major architectural change. Findings are triaged by severity: critical and high findings must be remediated within 7 and 30 days respectively. Test reports are available to enterprise customers under NDA.
Vulnerability management and dependency scanning
Automated dependency scanning runs on every code push. Critical CVEs in our dependency tree trigger an immediate patch cycle. Container images are rebuilt from hardened base images on a weekly schedule. Infrastructure is patched within defined SLAs based on CVSS severity.
Why this matters for Arab businesses and regulated sectors
Procurement teams in banking, healthcare, government, and legal services across the Gulf, Levant, and North Africa are increasingly requiring SOC 2 reports or ISO 27001 certificates before approving SaaS vendors. This was once a uniquely American or European requirement. It is now standard in UAE CBUAE fintech guidance, Saudi Arabia's NCA Essential Cybersecurity Controls, and Egypt's EG-CERT cloud security framework.
For a legal firm in Riyadh drafting confidential documents with AI assistance, or a healthcare provider in Cairo using Kalam to summarize patient notes, the question is not just "is this useful?" — it is "can our compliance officer approve this vendor?"
Kalam is the only Arabic-first AI assistant that is building toward formal certification with the security architecture to back it up. We are not retroactively bolting security onto a consumer product. The controls described above were designed in from the start.
Enterprise & regulated-sector inquiries
If your organization requires a copy of our security documentation, penetration test summary, or a vendor security questionnaire response, contact us at security@kalam.ma. We respond to all security inquiries within one business day.
What's next on the security roadmap
Formal SOC 2 Type II and ISO 27001 audits take time — not because the controls are missing, but because the audit covers a period of operational history. We are currently in the evidence collection phase for our first SOC 2 Type II report, targeting H2 2026. ISO 27001 certification is targeted for Q1 2027.
We will publish the SOC 2 report summary publicly and make the full report available to enterprise customers on request. Until formal certification is complete, we are happy to share our security documentation and answer any questions your security team has.
Security is not a feature. It's the foundation.
Kalam is the AI assistant built for the Arab world — with the security architecture that enterprises, regulated businesses, and privacy-conscious professionals deserve. Use it knowing exactly what controls protect your conversations.
Start a secure conversation →