askable labsTalk to us  →
TRUST CENTER · SECURITY · CERTIFICATIONS

Audited end to end. The same posture for 3,000+ clients.

Askable Labs runs on Askable’s production platform. The Integrated Management System (IMS) that serves over 3,000 clients across banking, health insurance, and other regulated industries underpins every sample in this catalogue — externally attested under SOC 2 Type II and certified to ISO/IEC 27001:2022, 27701:2019, and 42001:2023.

Compliance
8 frameworks
Controls in operation
97
Subprocessors
22
Operating since
2017
Last updated
2026-04-12
COMPLIANCE

Eight frameworks. One integrated management system.

External attestations and certifications held by Askable apply directly to Askable Labs — the lab runs on Askable’s production platform, not a parallel one. Everything you see below is testing the same IMS.

Certificates marked View are downloadable from the Resources section. The SOC 2 Type II report and penetration test summary are available under MNDA on request.

ISO/IEC 42001:2023

AI Management System

Certified

AIMS certification demonstrating responsible development and use of AI systems — governance, risk management, and ethical AI practices.

View certificate
ISO/IEC 27001:2022

Information Security MS

Certified

ISMS certification confirming Askable meets internationally recognised standards for managing and protecting information security risks.

View certificate
ISO/IEC 27701:2019

Privacy Information MS

Certified

PIMS certification demonstrating commitment to protecting personal data and compliance with global privacy regulations including GDPR.

View certificate
SOC 2 Type II

AICPA Trust Services Criteria

Attested

Independent auditor report verifying security, availability, and confidentiality controls have operated effectively over a sustained audit period — not just at a single point in time.

Request access (MNDA)
GDPR

EU 2016/679

Compliant

General Data Protection Regulation. Lawful basis, data subject rights, DPIA, and cross-border transfer controls embedded in the platform.

Read DPA
UK Cyber Essentials

NCSC baseline

Certified

UK government-backed certification confirming Askable has implemented essential cybersecurity controls against the most common internet-based threats.

View certificate
Wiz Cloud Security

Excellence recognition

Recognised

Cloud security posture recognition from Wiz for adherence to cloud-native security best practice across AWS workloads.

Read more
CCPA

California Consumer Privacy

Compliant

California Consumer Privacy Act compliance. Right to know, right to delete, right to opt out — supported across the platform.

Read CCPA policy
THE POSTURE, IN ONE PARAGRAPH

One platform. One audited posture.

Askable is a global SaaS platform for research and capture, trusted by 3,000+ clients in banking, health insurance, and other regulated industries. Recruitment, consent, capture, tagging, review, and delivery are code paths on one audited system.

The certifications above describe that posture viewed through multiple external lenses: SOC 2 Type II, ISO/IEC 27001:2022, 27701:2019, 42001:2023, Cyber Essentials, GDPR, CCPA, and Wiz Cloud Security Excellence — all bound by the IMS.

Session lifecycle — controls in codeenforced & logged
01

Recruit

Participant matched to a brief via Askable's panel. Identity verified at recruitment and re-verified at session via Kinde SSO + MFA.
SSO + MFAtenant-isolated
Participant data · AU primary
02

Consent

Brief-specific consent presented and recorded. Versioned. Withdrawable until release.
versioned recordtamper-evident log
Consent record · retained per policy
03

Capture

Session recorded against the consented brief via LiveKit. Encrypted in transit and at rest. Tenant-isolated by partner.
AES-256 at restTLS in transitper-partner key
Raw artefact · AU AWS region
04

Review

Internal reviewer applies tagging and segmentation. Access scoped to brief. Every action logged in Datadog.
role-scopedleast-privilegeaudit log
Reviewer access · revocable
05

Deliver

Structured batch delivered into the partner's environment. Schema co-versioned. Audit trail handed across.
signed manifestpartner-side audit
Retention · partner-configured
06

Retire

After the retention window or on withdrawal, source material is cryptographically destroyed and the deletion is attested.
crypto-shredattestation
Withdrawal · supported end-to-end
RESOURCES

Certificates, reports, and policies.

Public certificates are View-able directly. Reports containing customer-detail (SOC 2 Type II, penetration test) and internal policies are released under MNDA via Request access.

Every request lands with the security team in a single inbox; turnaround is typically <2 business days. Send checklists directly to security@askable.com.

Certifications & reports

8 items

ISO/IEC 42001:2023 Certificate

Artificial Intelligence Management System (AIMS) certification demonstrating responsible development and use of AI systems, including governance, risk management, and ethical AI practices.

PublicView

ISO/IEC 27001:2022 Certificate

Information Security Management System (ISMS) certification confirming Askable meets internationally recognised standards for managing and protecting information security risks.

PublicView

ISO/IEC 27701:2019 Certificate

Privacy Information Management System (PIMS) certification demonstrating commitment to protecting personal data and compliance with global privacy regulations including GDPR.

PublicView

SOC 2 Type II Report

Independent auditor report verifying that Askable's security, availability, and confidentiality controls have been operating effectively over a sustained audit period, not just at a single point in time.

MNDARequest access

UK Cyber Essentials Certificate

UK government-backed certification confirming Askable has implemented essential cybersecurity controls to protect against the most common internet-based threats and cyberattacks.

PublicView

Penetration Test Summary Report

Findings of a penetration test performed for Askable Pty Ltd against the Askable web application platform by Acumenis, validating the effectiveness of implemented security controls.

MNDARequest access

Accessibility Report (VPAT)

Independent evaluation of my.askable against WCAG 2.2 Level A and AA standards by me2 Accessibility. Voluntary Product Accessibility Template providing detailed conformance information.

MNDARequest access

DR Test Results — Database Restore

Disaster recovery test validating Askable's ability to restore the production database from a snapshot backup following a simulated critical data-loss event.

MNDARequest access

Policies

5 items

Information Security, Privacy & AI Policy

Master policy governing how the Integrated Management System (IMS) is operated across security, privacy, and AI practices.

MNDARequest access

Vulnerability Management Policy

Defines how vulnerabilities are discovered, triaged, remediated under SLAs, and verified across production systems.

MNDARequest access

Acceptable Use Policy

Rules for the acceptable use and handling of Askable information assets by personnel and contractors.

MNDARequest access

Endpoint Security Policy

Standards for the protection of user endpoint devices — encryption, MDM enrolment, screen-lock, patching.

MNDARequest access

Data Subject Rights Policy

Process for responding to data subject access, deletion, and correction requests under GDPR / CCPA / Australian Privacy Act.

MNDARequest access
CONTROLS

97 controls operating across five categories.

The full Annex A & ISO/IEC 27002:2022 control set, the operational controls under the IMS, and the AI lifecycle controls under ISO/IEC 42001. Every control is owned, documented, evidenced, and reviewed under the internal audit programme — SOC 2 Type II tests their operating effectiveness over the audit window.

Filter by category in the sidebar, or search across all controls.

Infrastructure security

25 controls · infrastructure security
01

Remote access encrypted, enforced

Production systems can only be remotely accessed by authorised employees via an approved encrypted connection.

In operation
02

Production database access restricted

Privileged access to databases is restricted to authorised users with a business need.

In operation
03

Information security for use of cloud services

Processes for acquisition, use, management and exit from cloud services are established in line with the organisation's information security requirements.

In operation
04

Information transfer

Information transfer rules, procedures, or agreements are in place for all types of transfer facilities within the organisation and between the organisation and other parties.

In operation
05

Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, are defined and implemented.

In operation
06

Access control

Rules to control physical and logical access to information and other associated assets are established and implemented based on business and information security requirements.

In operation
07

Identity management

The full life cycle of identities is managed — provisioning, modification, review, and de-provisioning.

In operation
08

Authentication information

Allocation and management of authentication information is controlled by a management process, including advising personnel on the appropriate handling of authentication information.

In operation
09

Access rights

Access rights to information and other associated assets are provisioned, reviewed, modified and removed in accordance with the organisation's topic-specific policy on access control.

In operation
10

Privileged access rights

The allocation and use of privileged access rights is restricted and managed.

In operation
11

Information access restriction

Access to information and other associated assets is restricted in accordance with the established topic-specific policy on access control.

In operation
12

Secure authentication

Secure authentication technologies and procedures are implemented based on information access restrictions and the topic-specific policy on access control.

In operation
13

Use of privileged utility programs

Utility programs capable of overriding system and application controls are restricted and tightly controlled.

In operation
14

Logging

Logs that record activities, exceptions, faults and other relevant events are produced, stored, protected and analysed.

In operation
15

Monitoring activities

Networks, systems and applications are monitored for anomalous behaviour and appropriate actions are taken to evaluate potential information security incidents.

In operation
16

Remote working

Security measures are implemented when personnel are working remotely to protect information accessed, processed or stored outside the organisation's premises.

In operation
17

Networks security

Networks and network devices are secured, managed and controlled to protect information in systems and applications.

In operation
18

Security of network services

Security mechanisms, service levels and service requirements of network services are identified, implemented and monitored.

In operation
19

Segregation of networks

Groups of information services, users and information systems are segregated in the organisation's networks.

In operation
20

Web filtering

Access to external websites is managed to reduce exposure to malicious content.

In operation
21

Application security requirements

Information security requirements are identified, specified and approved when developing or acquiring applications.

In operation
22

Secure system architecture and engineering principles

Principles for engineering secure systems are established, documented, maintained and applied to any information system development activities.

In operation
23

Threat intelligence

Information relating to information security threats is collected and analysed to produce threat intelligence.

In operation
24

Unique production database authentication enforced

Authentication to production datastores uses authorised secure authentication mechanisms, such as unique SSH key.

In operation
25

Production application access restricted

System access is restricted to authorised access only.

In operation

Organizational security

23 controls · organizational security
01

Password policy enforced

Passwords for in-scope system components are configured according to the company's policy.

In operation
02

Information security roles and responsibilities

Information security roles and responsibilities are defined and allocated according to the organisation's needs.

In operation
03

Determining the scope of the ISMS

The organisation determines the boundaries and applicability of the information security management system to establish its scope, considering external/internal issues, requirements, and interfaces.

In operation
04

Inventory of information and other associated assets

An inventory of information and other associated assets, including owners, is developed and maintained.

In operation
05

Return of assets

Personnel and other interested parties return all the organisation's assets in their possession upon change or termination of their employment, contract or agreement.

In operation
06

Intellectual property rights

Appropriate procedures are implemented to protect intellectual property rights.

In operation
07

Security of assets off-premises

Off-site assets are protected.

In operation
08

Storage media

Storage media is managed through its life cycle of acquisition, use, transportation and disposal in accordance with the organisation's classification scheme and handling requirements.

In operation
09

Secure disposal or re-use of equipment

Items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

In operation
10

User endpoint devices

Information stored on, processed by or accessible via user endpoint devices is protected.

In operation
11

Protection against malware

Protection against malware is implemented and supported by appropriate user awareness.

In operation
12

Competence

Necessary competence is determined, persons doing security-affecting work are competent on the basis of education/training/experience, and actions are taken to acquire competence where needed.

In operation
13

Awareness

Persons doing work under the organisation's control are aware of the information security policy, their contribution to the ISMS, and the implications of non-conformance.

In operation
14

Screening

Background verification checks on all candidates are carried out prior to joining the organisation and on an ongoing basis, proportional to business requirements and risk.

In operation
15

Disciplinary process

A disciplinary process is formalised and communicated to take actions against personnel who have committed an information security policy violation.

In operation
16

Responsibilities after termination

Information security responsibilities and duties that remain valid after termination or change of employment are defined, enforced and communicated.

In operation
17

Confidentiality / non-disclosure agreements

Confidentiality or non-disclosure agreements reflecting the organisation's needs are identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.

In operation
18

Operation planning and control

Processes needed to meet ISMS requirements are planned, implemented and controlled, with planned changes reviewed and externally provided processes controlled.

In operation
19

Physical security monitoring

Premises are continuously monitored for unauthorised physical access.

In operation
20

Protecting against physical and environmental threats

Protection against physical and environmental threats — such as natural disasters and other intentional or unintentional physical threats to infrastructure — is designed and implemented.

In operation
21

Clear desk and clear screen

Clear desk rules for papers and removable storage media, and clear screen rules for information processing facilities, are defined and appropriately enforced.

In operation
22

Information security awareness, education & training

Personnel and relevant interested parties receive appropriate information security awareness, education and training, with regular updates of policy and procedures.

In operation
23

Whistleblower policy established

A formalised whistleblower policy is established, with an anonymous communication channel for users to report potential issues or fraud concerns.

In operation

Product security

9 controls · product security
01

Vulnerability and system monitoring procedures established

Formal policies outline the requirements for vulnerability management and system monitoring.

In operation
02

Data encryption utilised

Datastores housing sensitive customer data are encrypted at rest.

In operation
03

Penetration testing performed

Penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

In operation
04

Access to source code

Read and write access to source code, development tools and software libraries is appropriately managed.

In operation
05

Secure development life cycle

Rules for the secure development of software and systems are established and applied.

In operation
06

Secure coding

Secure coding principles are applied to software development.

In operation
07

Security testing in development and acceptance

Security testing processes are defined and implemented in the development life cycle.

In operation
08

Separation of development, test and production environments

Development, testing and production environments are separated and secured.

In operation
09

Test information

Test information is appropriately selected, protected and managed.

In operation

Internal security procedures

31 controls · internal security procedures
01

Independent review of information security

The organisation's approach to managing information security is reviewed independently at planned intervals, or when significant changes occur.

In operation
02

Cybersecurity insurance maintained

Cybersecurity insurance is maintained to mitigate the financial impact of business disruptions.

In operation
03

Configuration management system established

A configuration management procedure ensures that system configurations are deployed consistently throughout the environment.

In operation
04

ICT readiness for business continuity

ICT readiness is planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

In operation
05

Information backup

Backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific backup policy.

In operation
06

Capacity management

The use of resources is monitored and adjusted in line with current and expected capacity requirements.

In operation
07

Configuration management

Configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed.

In operation
08

Planning of changes

When the organisation determines the need for changes to the ISMS, the changes are carried out in a planned manner.

In operation
09

Installation of software on operational systems

Procedures and measures are implemented to securely manage software installation on operational systems.

In operation
10

Internal audit — general

Internal audits are conducted at planned intervals to provide information on whether the ISMS conforms to requirements and is effectively implemented and maintained.

In operation
11

Internal audit programme

An audit programme is planned, established, implemented and maintained — frequency, methods, responsibilities, planning requirements and reporting.

In operation
12

Nonconformity and corrective action

When a nonconformity occurs, the organisation reacts, evaluates causes, implements actions, reviews effectiveness, and changes the ISMS if necessary.

In operation
13

Legal, statutory, regulatory & contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organisation's approach to meet them are identified, documented and kept up to date.

In operation
14

Information security management system

The organisation establishes, implements, maintains and continually improves an information security management system.

In operation
15

Organisational roles, responsibilities & authorities

Top management ensures that responsibilities and authorities for ISMS-relevant roles are assigned and communicated within the organisation.

In operation
16

Monitoring, measurement, analysis & evaluation

The organisation determines what is monitored and measured, the methods, when, by whom, and analyses the results to evaluate ISMS performance and effectiveness.

In operation
17

Continual improvement

The organisation continually improves the suitability, adequacy and effectiveness of the ISMS.

In operation
18

Management responsibilities

Management requires all personnel to apply information security in accordance with established policy, topic-specific policies and procedures.

In operation
19

Contact with special interest groups

The organisation establishes and maintains contact with special interest groups, security forums and professional associations.

In operation
20

Documented operating procedures

Operating procedures for information processing facilities are documented and made available to personnel who need them.

In operation
21

Addressing information security within supplier agreements

Relevant information security requirements are established and agreed with each supplier based on the type of supplier relationship.

In operation
22

Incident management planning and preparation

The organisation plans and prepares for managing information security incidents by defining, establishing and communicating incident management processes, roles and responsibilities.

In operation
23

Assessment and decision on information security events

The organisation assesses information security events and decides whether to categorise them as information security incidents.

In operation
24

Information security during disruption

The organisation plans how to maintain information security at an appropriate level during disruption.

In operation
25

Information security event reporting

A mechanism is provided for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

In operation
26

Resources

The organisation determines and provides the resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS.

In operation
27

Information security in project management

Information security is integrated into project management.

In operation
28

General actions to address risks and opportunities

When planning the ISMS, the organisation considers issues and requirements to determine the risks and opportunities to address — ensuring intended outcomes, preventing undesired effects, and achieving continual improvement.

In operation
29

Information security risk assessment

Information security risk assessments are performed at planned intervals or when significant changes are proposed or occur. Results are retained as documented information.

In operation
30

Information security risk treatment

Documented information of the results of information security risk treatment is retained.

In operation
31

Outsourced development

The organisation directs, monitors and reviews the activities related to outsourced system development.

In operation

Data and privacy

9 controls · data and privacy
01

Acceptable use of information and other associated assets

Rules for the acceptable use and procedures for handling information and other associated assets are identified, documented and implemented.

In operation
02

Classification of information

Information is classified according to the information security needs of the organisation based on confidentiality, integrity, availability and relevant interested party requirements.

In operation
03

Labelling of information

An appropriate set of procedures for information labelling is developed and implemented in accordance with the information classification scheme adopted by the organisation.

In operation
04

Protection of records

Records are protected from loss, destruction, falsification, unauthorised access and unauthorised release.

In operation
05

Information deletion

Information stored in information systems, devices or in any other storage media is deleted when no longer required.

In operation
06

Data masking

Data masking is used in accordance with the organisation's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

In operation
07

Data leakage prevention

Data leakage prevention measures are applied to systems, networks and any other devices that process, store or transmit sensitive information.

In operation
08

Privacy and protection of PII

The organisation identifies and meets the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

In operation
09

Continuity and disaster recovery plans established

Business Continuity and Disaster Recovery Plans are in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

In operation
SUBPROCESSORS

22 third parties. Notify-on-change, 30 days.

The current subprocessor inventory. Each entry names the function performed, the region of processing, and a description of the data class touched.

Notify-on-change. Partner accounts receive 30-day advance notification of any addition or removal from this list.

MongoDB AtlasAustralia
Database

Cloud-hosted database service used to store and manage platform data — participant profiles, client account information, screener responses, study configurations, and research session metadata.

Amazon Web ServicesAustralia
Infrastructure

Cloud infrastructure provider that hosts the Askable platform and securely stores personal data including session recordings, participant files, and application data. All primary data processing and storage occurs within Australian AWS regions.

Google Cloud PlatformUSA
Infrastructure & AI

Cloud infrastructure and AI services provider used to support platform hosting, data storage, and operational services. Where AI-powered features are enabled, also processes prompt inputs and outputs to deliver generative AI functionality.

DatadogUSA
Observability

Monitoring and logging platform used to track application performance, detect errors, and maintain platform reliability. May process operational metadata such as anonymised request logs and system events to support incident resolution and service improvement.

IntercomUSA
Customer Support

Customer messaging platform that provides in-app live chat and support communications for clients, participants, and researchers. Processes contact details and message content to facilitate real-time support and help-centre interactions.

AnnatureAustralia
Document Management

Electronic signature platform used to facilitate the signing and secure storage of non-disclosure agreements. Processes signatory names and signature data for participants and researchers prior to research sessions.

AnthropicUSA
LLM Provider

Large language model provider that powers AI features within the platform, including AI Moderated Interviews, automated insight generation, and research analysis. Processes participant responses, session transcripts, and research data where the client chooses to use AI-powered features.

OpenAIUSA
LLM Provider

Large language model provider that powers AI features within the platform, including AI Moderated Interviews, automated insight generation, and research analysis. Processes participant responses, session transcripts, and research data where the client chooses to use AI-powered features.

AssemblyAIUSA
Transcription

Speech-to-text service used to generate written transcripts from audio and video recordings captured during Askable Sessions. Processes participant and researcher voice data from recorded research interviews.

DeepgramUSA
Speech-to-Text

Real-time speech recognition provider used to convert participant voice responses into text during AI Moderated Interviews. Processes audio data from participants where the client chooses to use the AI Moderation feature.

ElevenLabsUSA
Text-to-Speech

Voice synthesis provider that generates natural-sounding speech for the AI Moderator agent during AI Moderated Interviews. Processes interview questions and follow-up prompts to deliver a conversational research experience across 15+ languages.

LiveKitUSA
Video Conferencing

Real-time video and audio communication platform that powers Askable Sessions for remote research interviews. Processes audio/video streams, screen-sharing data, and session recordings for facilitators, participants, and observers.

KindeAustralia
Authentication

Secure authentication and identity management platform that handles login, registration, and SSO for clients, researchers, and participants. Processes user credentials, email addresses, and access tokens to manage platform access.

TwilioUSA
SMS & Communications

Cloud communications provider used to send SMS notifications and reminders to research participants — session confirmations, scheduling updates, and study invitations. Processes participant phone numbers and message content.

ResendUSA
Email Delivery

Transactional email delivery service used to send platform-generated emails such as session confirmations, scheduling links, and account notifications. Processes recipient email addresses and message content.

Customer.ioUSA
Marketing

Email marketing platform used to send marketing communications such as product updates, company updates, event notifications, newsletters, and promotions.

GiftPayAustralia
Incentive Payments

Digital gift card provider used to deliver incentive payments to research participants upon study completion. Processes participant names, email addresses, and payment preference details to issue and track gift card rewards.

SlackUSA
Communications (optional)

Messaging platform used for internal team communications and, where opted in by the client, as a direct communication channel between Askable and the client. May process client contact details, project updates, and research coordination messages.

monday.comAustralia
Project Management

Work management platform used to coordinate research project delivery and internal workflows. May process client contact details, project briefs, and scheduling information in the context of managed research services such as Project Delivery.

InngestUSA
Workflow Orchestration

Workflow orchestration platform that enables reliable background jobs and multi-step processes with built-in retries and observability. Orchestrates platform operations such as participant matching, notification delivery, and AI analysis pipelines that may involve personal data in transit.

TurbopufferAustralia
Vector Database

Serverless vector database that provides fast, scalable vector search and full-text search capabilities for AI-powered features. Stores and retrieves vectorised representations of research data to power semantic search across sessions, transcripts, and insights within Askable AI and Industry Streams.

Askable Pty Ltd (Admin)Australia
Platform & Services

Australian parent entity responsible for the provision of the Askable platform and services, technical support, and resourcing on behalf of Askable Limited (UK) and Askable Inc. (USA). Processes all categories of personal data described in the Data Processing Addendum in connection with platform operations.

Notify-on-change · 30-day advance noticeLast reviewed · 2025-09 under IMS change-managementNext review · 2026-03
UPDATES

What changed, and when.

Material changes to the Trust Center: certification milestones, audit completions, subprocessor additions and removals, policy revisions. Reverse chronological.

Subscribe via security@askable.com.

  1. 2026-04-12Audit

    ISO/IEC 27001:2022 annual surveillance audit completed

    Independent surveillance audit of the ISMS completed with zero major nonconformities. Audit report logged in the IMS evidence register.

  2. 2026-02-28Cert

    ISO/IEC 42001:2023 certification achieved

    First-issue certification of the AI Management System under ISO/IEC 42001:2023, covering responsible development of AI features across the Askable platform.

  3. 2026-01-15Subprocessor

    Added Turbopuffer (vector database)

    Added Turbopuffer as a subprocessor for vector and full-text search powering AI features. Hosted in Australia. 30-day notification window observed.

  4. 2025-12-08Report

    SOC 2 Type II report published (FY25 window)

    New SOC 2 Type II report covering the audit window 1 Nov 2024 – 31 Oct 2025 is available under MNDA. Bridge letter available for the gap to current date.

  5. 2025-10-21Accessibility

    WCAG 2.2 AA accessibility assessment completed

    Independent VPAT assessment of my.askable against WCAG 2.2 Level A and AA published by me2 Accessibility. Identified barriers are tracked in the public roadmap.

  6. 2025-09-30Policy

    Subprocessor inventory review

    Annual review of subprocessor inventory completed under the IMS change-management policy. Two providers retired, one (Turbopuffer) added in January 2026.

  7. 2025-07-14Cert

    ISO/IEC 27701:2019 certification maintained

    PIMS recertification audit completed. Privacy management system controls reviewed and certified for a further three-year cycle.

  8. 2025-05-02Cert

    UK Cyber Essentials certified

    Cyber Essentials certification issued by an NCSC-accredited certification body covering the production estate and corporate endpoints.

  9. 2025-03-18Pentest

    Annual penetration test completed (Acumenis)

    Third-party penetration test of the Askable web application platform completed by Acumenis. Findings remediated under documented SLA. Summary report available on request.

  10. 2024-11-26Recognition

    Wiz Cloud Security Excellence recognition

    Cloud security posture recognition from Wiz for adherence to cloud-native security best practice across our AWS workloads.

  11. 2024-09-09Policy

    AI use policy published

    Information Security, Privacy and Artificial Intelligence Policy revised and republished. Establishes lifecycle controls for AI features in advance of ISO 42001 certification.

  12. 2024-06-20Compliance

    CCPA compliance programme established

    California Consumer Privacy Act compliance programme formalised, including right-to-know, right-to-delete, and right-to-opt-out workflows.

  13. 2024-04-04Subprocessor

    Added Kinde (authentication)

    Migrated authentication and identity management to Kinde. Region: Australia. 30-day partner notification observed.

  14. 2023-11-15Subprocessor

    Added Anthropic and OpenAI as LLM subprocessors

    Added Anthropic and OpenAI as subprocessors for opt-in AI features (AI Moderated Interviews, automated insight generation). Per-brief opt-in enforced at the data egress layer.

  15. 2023-08-01Cert

    Initial SOC 2 Type II report issued

    Inaugural SOC 2 Type II attestation covering Security, Availability, and Confidentiality Trust Services Criteria.

  16. 2023-04-12Cert

    ISO/IEC 27001 transition to 2022 revision

    ISMS transitioned from ISO/IEC 27001:2013 to the 2022 revision. Annex A control mapping updated across the IMS.

FAQ

The questions a vendor review usually opens with.

If your standard intake form has 200 questions, most are answered across the Overview, Controls, Subprocessors and Resources sections.

Skip the form: send your security checklist to security@askable.com.

Who actually holds the certifications?

Askable, the parent company. Askable Labs runs on Askable's production platform, so every certification and attestation listed on the trust centre applies directly to the lab's work.

Can we see the SOC 2 report?

Yes. The current SOC 2 Type II report is available under MNDA. Submit a request through the form on this page and the security team will provide the report and any bridge letter applicable to the gap between report windows.

Where does participant data live?

Primary data processing and storage occurs within Australian AWS regions. A subset of subprocessors operate in the USA — see the Subprocessors tab for the full list and region per provider. Region is configurable per partnership; cross-region transfers require explicit partner authorisation.

Do you train your own models on participant material?

No. Participant material is captured, structured, and delivered to partners under the brief's consent scope. The platform enforces this at the data-egress layer.

What about data subject rights (GDPR / CCPA)?

Right to know, right to delete, right to correct, right to opt out — supported across the platform. Requests are handled under the Data Subject Rights Policy (available on the Resources tab) and tracked in the IMS.

Can a participant withdraw after delivery?

Yes. Withdrawal is supported post-delivery. The end-to-end pathway includes cryptographic destruction of source material on Askable's side and a relayed request to the partner who received the delivery.

How do you handle access internally?

Role-scoped, least-privilege, SSO + MFA via Kinde. Every privileged action is logged with actor, action, and resource. Reviewer access is brief-scoped and revocable. Privileged production access requires a documented business need.

What happens in an incident?

Documented incident-response plan operating under the IMS. Material partner-affecting incidents are notified per the partnership agreement and per the SOC 2 / ISO 42001 / ISO 27001 obligations. Incident severity, timeline, root cause and remediation are recorded.

Is the platform penetration tested?

Yes — annually, by an independent third party (Acumenis). The summary report is available under MNDA on the Resources tab. Remediation is tracked under documented SLAs in the vulnerability management programme.

What encryption is in place?

All datastores housing sensitive customer data are encrypted at rest. Production traffic is TLS in transit. Cryptographic key management is governed by the Information Security, Privacy and AI Policy.

How are subprocessor changes communicated?

Partner accounts receive 30-day advance notification of any addition or removal from the subprocessor list. Material partner-affecting changes are also notified at the brief level.

Are AI features opt-in?

Yes. AI Moderated Interviews, automated insight generation, and AI-assisted analysis are per-brief opt-in. The platform enforces opt-in at the data egress layer — no participant material is sent to an LLM subprocessor unless the brief has been configured to do so.

What about ISO 27001 / 27701?

Both are held. Askable is certified to ISO/IEC 27001:2022 (ISMS) and ISO/IEC 27701:2019 (PIMS). Certificates are downloadable from the Resources tab.

Do you have a bug bounty / responsible disclosure programme?

Yes. Responsible disclosure submissions can be sent to security@askable.com. The vulnerability management policy (Resources tab) describes triage, SLAs, and acknowledgement.

SECURITY CONTACT

Direct line to the security team.

Vendor reviews, certificate requests, SOC 2 report under MNDA, or anything you need to clear an enterprise security review.

security@askable.com Use the form