Self-attestation letter — pre-certification bridge document

Industrial IQ — SOC 2 Security Controls Self-Attestation

Document version: 1.1  |  Date: May 2026  |  Issued by: R. Santhana Krishnan, Founder & CEO, Industrial IQ Inc.

Attestation statement

I, R. Santhana Krishnan, Founder and CEO of Industrial IQ Inc., hereby attest that, to the best of my knowledge and belief, the security controls documented below are implemented and operating as described in the AI2COE platform and PartsCleanse AI diagnostic service as of the date of this letter.

This attestation covers the Security (CC), Availability (A1), and Privacy (P) Trust Service Criteria relevant to Industrial IQ's role as a data processor receiving, analyzing, and purging MRO catalog CSV data on behalf of client organizations.

Nature of this document: This is a management self-attestation, not an independent auditor's examination. It does not constitute a SOC 2 Type I or Type II report. It is provided as a bridge document for enterprise procurement teams requiring security control evidence during the pre-certification period. A formal SOC 2 Type II audit engagement is planned as described in the Third-Party Audit Roadmap section below.

Controls attested

CC6.1 — Logical access controls

Authentication required for all protected workflows. Admin pages restricted to owner-role accounts enforced via database role column — not environment variable. Email domain validation rejects consumer email providers at registration. Session-based access control with HTTP-only, SameSite=Lax, Secure-flagged cookies. Maximum 5 failed login attempts before 15-minute account lockout.

CC6.6 — Security boundaries

CSRF tokens on all state-changing POST requests using HMAC-equivalent constant-time comparison (secrets.compare_digest). X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: camera=(), microphone=(), geolocation=(self) applied on every response. Content-Security-Policy restricts script and connect sources to known origins. Production HSTS: max-age=31536000; includeSubDomains; preload.

CC6.7 — Data transmission controls

All client-server communication requires TLS 1.2 minimum. HSTS enforced on production to prevent protocol downgrade. Uploaded catalog files transmitted via HTTPS only; chunked upload not supported to prevent partial-state exploitation.

CC7.2 — Monitoring and logging

Rotating application and error log files (5MB max, 10 backups). Admin audit log records: dashboard views, all export actions, edit-page access, before/after field values on every admin update. Report access, download, purge, and quota events logged with timestamp and run identifier. Log files stored separately from web root.

CC9.2 — Third-party sub-processors

Sub-processors are limited to: (1) cloud hosting provider (VPS/IaaS — responsible for physical security and hypervisor isolation; covered by their own SOC 2 Type II); (2) Tawk.to live chat (activated only with explicit cookie consent; no catalog data transmitted); (3) email delivery provider (SMTP relay — used for transactional notifications only; no catalog data transmitted). No sub-processor has access to uploaded catalog data.

A1.1 — Availability commitments

Engagement SLA commits 15-business-day diagnostic delivery from confirmed upload receipt. Planned maintenance communicated 48 hours in advance via registered email. RTO 24 hours for diagnostic engine; RTO 4 hours for account and report data. Business continuity plan documented at /bcdr.

P5.1 — Data handling and retention

Source catalog CSV purged automatically after successful report artifact generation. No catalog row data (descriptions, part numbers, quantities) retained in production database. Database stores only run metadata: SKU count, duplicate rate, capital estimate, run timestamp, report ownership. Data handling commitment published at /data-handling.

P6.6 — Data disposal

Uploaded source CSV and all temporary working files deleted on purge trigger. Purge event recorded in audit log with timestamp and run ID. Source catalog files are excluded from database backup by architectural design. No manual override of the purge sequence exists.

Third-party audit roadmap

Phase 1 — Readiness assessmentPlanned Q3 2026. Independent security consultant to conduct gap analysis against AICPA SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). Findings to be remediated before formal audit engagement.
Phase 2 — SOC 2 Type I auditPlanned Q4 2026. Point-in-time audit of control design. Audit firm to be selected from AICPA-registered CPA firms with technology sector SOC 2 practice.
Phase 3 — SOC 2 Type II auditPlanned Q2–Q3 2027. 6-month observation period audit of control operating effectiveness. Type II report to be made available to enterprise customers under NDA upon completion.
Penetration testingExternal application penetration test planned Q3 2026 from an independent security firm. Results to be shared with enterprise customers upon request under appropriate confidentiality terms.

Data residency

AI2COE diagnostic processing is currently hosted in the United States (primary infrastructure). Uploaded MRO catalog CSV files are processed in isolated run folders and the source file is purged after report generation. Only summary metrics, Open Findings, report ownership, quota usage, feedback, and audit metadata are retained.

United StatesPrimary processing region. Current production hosting location for all diagnostic engine runs.
European UnionEU accounts requiring GDPR Article 28 DPA countersignature and in-region processing may request a data-handling commitment by contacting support@ai2coe.com with "DPA Request" in the subject line. In-region EU hosting is on the enterprise roadmap for Q4 2026.
Gulf Cooperation Council (GCC)GCC enterprise accounts may request a jurisdiction-specific data handling commitment. Custom residency arrangements are available by agreement for enterprise pilot accounts. Contact support@ai2coe.com with "GCC Data Residency" in the subject line.

Responsible disclosure

Industrial IQ maintains a responsible disclosure program. Security researchers who identify potential vulnerabilities in the AI2COE platform are invited to report findings to security@ai2coe.com. We commit to acknowledging receipt within 2 business days and to coordinated disclosure timelines. We do not pursue legal action against good-faith researchers who comply with responsible disclosure practices.

Limitations and scope exclusions

This attestation is based solely on management's direct knowledge of implemented controls. It does not reflect an independent auditor's assessment of design adequacy or operating effectiveness. Physical infrastructure security is governed by the cloud hosting provider's own SOC 2 Type II certification and is outside the scope of this attestation. Third-party sub-processor controls are limited to contractual obligations and the data access restrictions documented under CC9.2 above.

R. Santhana Krishnan
Founder & CEO, Industrial IQ Inc.
Date: May 2026
Document version: 1.1 — expanded to include CC6.7 (transmission controls), CC9.2 (sub-processors), responsible disclosure program, and formal third-party audit roadmap.

For enterprise procurement teams: This self-attestation letter may be attached to vendor qualification packages as interim evidence of security controls. For a signed PDF copy suitable for procurement filing, contact support@ai2coe.com with the subject line “SOC 2 Attestation — [Company Name]”. For security-specific inquiries, use security@ai2coe.com.
Request Signed PDF Copy Security Overview Data Processing Agreement Architecture Diagram