Today Boundly steps out of stealth. We are doing it the way we believe a company that handles unpublished inventions should: with independent proof, not promises. Boundly now holds an active SOC 2 Type 2 attestation and is ISO 27001 certified.
We stayed quiet while we built. Not because the product was not ready, but because the bar for putting a patent practice’s most sensitive work into an AI tool is higher than "it works." It has to be safe, and it has to be provable. These two audits are how we prove it.
Independently attested and certified. Both reports are available under NDA through our Trust Center.
What SOC 2 Type 2 actually proves
SOC 2 is a report produced by an independent auditor against the AICPA Trust Services Criteria. The "Type 2" part is the part that matters. A Type 1 report checks that the right security controls exist on a single day. A Type 2 report observes whether those controls actually operate, correctly and consistently, over a sustained window of months. It is the difference between owning a fire extinguisher and having a fire-safety record.
Over that window, a SOC 2 Type 2 audit examines controls such as:
- Encryption of data in transit and at rest
- Access management, least privilege, and multi-factor authentication
- Change management and secure software development
- Continuous monitoring, logging, and incident response
- Vendor and subprocessor risk management
In plain terms: it is third-party evidence that we do what we say we do, not just on the day someone asks, but every day.
What ISO 27001 adds
ISO/IEC 27001 is the international standard for an Information Security Management System, or ISMS. Where SOC 2 centers on an auditor’s opinion of specific controls, ISO 27001 certifies something broader: that security is run as a managed, documented, continuously improving system across the whole company, from risk assessment to staff training to supplier controls. Certification is granted by an accredited body and re-checked on an ongoing basis.
The two frameworks overlap, but they answer different procurement questions, and large or international IP teams often ask for one specifically. Holding both means we can clear the security review wherever your firm or your clients sit.
Why this matters more for patent practitioners than almost anyone
Most software handles data that is sensitive. Patent work handles data that is sensitive and not yet legally protected. A draft application, an invention disclosure, an unfiled claim set: these are trade secrets whose value can evaporate the moment they leak. There is no undo.
That changes the stakes in ways that are specific to your work:
- Confidentiality is a professional duty. Practitioners are bound to protect client information, and any vendor that touches a matter becomes an extension of that duty. The tool has to be defensible, not just convenient.
- Premature disclosure can sink patentability. Information that escapes before filing can become prior art against your own client. An AI tool that trains on inputs, or leaks them, is not a productivity risk; it is an existential one.
- Procurement now demands proof. Corporate IP departments and larger firms increasingly require SOC 2 or ISO 27001 before a tool gets anywhere near a live matter. Security questionnaires are table stakes.
Security was the design, not an afterthought
This is why we did not bolt security on after launch. AES-256 encryption at rest, TLS 1.3 in transit, controlled and audited access, and a contractual guarantee that we never train on your data (enforced with every model provider and documented in your DPA) have been in place from the start. The audits are the independent confirmation of what was already built in.
It is also why AI Studio gives your team Claude, GPT, Gemini, and Grok through one secure, audited workspace, instead of pasting confidential text into consumer chatbots that may retain it.
How we got here: Scytale and Decrypt Compliance
Compliance theater is easy. Real assurance is not. We worked with Scytale to build and operate the underlying security program and the continuous evidence collection behind it. The audits themselves were performed by Decrypt Compliance, an independent firm. That separation is the point: the people who run the program are not the people who grade it.
See the proof yourself
We would rather show than tell. Our Trust Center is where enterprises can review our security posture and request the SOC 2 Type 2 report and ISO 27001 certificate under NDA. You can also watch real-time availability on our status page.
Review our security posture
Request our SOC 2 Type 2 report and ISO 27001 certificate under NDA, or talk to us about a confidential deployment.
Patent work is some of the most confidential work there is. The tools that touch it should be able to prove they can be trusted. Now ours can. This is the floor, not the ceiling.