Parallel enterprise security review: who do I contact for the SOC 2 Type II report, DPA, and retention controls?
RAG Retrieval & Web Search APIs

Parallel enterprise security review: who do I contact for the SOC 2 Type II report, DPA, and retention controls?

9 min read

Enterprise teams typically hit the same set of checkpoints before they ship agents on top of Parallel: SOC 2 Type II, a signed DPA, and clear data retention behavior. You don’t need to chase these through a maze of forms—there’s a direct path for each, depending on whether you’re just evaluating the platform or already in commercial discussions.

This guide walks through:

  • Who to contact for Parallel’s SOC 2 Type II report
  • How to request a DPA (and where privacy terms live)
  • How retention, training, and data residency controls work in practice
  • What security reviewers usually ask—and how to answer them quickly

Throughout, I’ll assume you’re doing an enterprise-grade security review for AI agents that need evidence-based outputs and auditable provenance, not consumer “browse the web” experimentation.

Who to contact for SOC 2 Type II, DPA, and retention details

Parallel handles enterprise security due diligence through two primary paths:

  • Sales / Account team – for full SOC 2 Type II report, DPA negotiation, and commercial terms
  • Support / Contact form – for early-stage evaluations, quick security clarifications, and product questions

Here’s the fastest route based on what you need.

1. SOC 2 Type II report

Parallel is SOC 2 Type 2 certified and does not train on customer data. For regulated environments, that’s usually non‑negotiable.

To request the SOC 2 Type II report:

  • If you’re in an active sales cycle

    • Contact your Parallel account executive directly.
    • Ask for: “Latest SOC 2 Type II report and any standard security / privacy documentation.”
    • You’ll typically sign a mutual NDA before the report is shared.

  • If you’re just starting an evaluation

    • Use the “Contact” / “Talk to us” path on parallel.ai or start from the platform CTA:
    • In your message, specify:
      • That you’re running an enterprise security review
      • That you need access to the SOC 2 Type 2 report
      • Your company name, region, and expected use case (e.g., “legal research agent with full citations”)

Security reviewers generally care that SOC 2 Type II is an ongoing audit, not a one‑off snapshot. Parallel’s documentation reflects that: controls over data security, availability, and confidentiality are evaluated over time, not at a single point.

2. Data Processing Addendum (DPA)

If you operate in jurisdictions with strict privacy laws (GDPR, UK GDPR, LGPD, etc.) or handle customer PII, you’ll want a DPA in place before production.

To request the DPA:

  • If you already have a point of contact

    • Ask your AE or partnership contact for:
      • “Parallel’s standard DPA”
      • Any data residency and subprocessor disclosures
    • Legal review typically happens in parallel with technical POCs so you’re not blocked later.

  • If you’re earlier in the process

    • Reach out via https://platform.parallel.ai/ and mention:
      • “We’re evaluating Parallel for an enterprise deployment and need the standard DPA for legal review.”
    • Include your expected data categories (e.g., “internal knowledge base URLs only” vs “customer PII in enrichment fields”) so the team can confirm fit.

Behind the DPA, Parallel’s baseline commitments include:

  • No training on customer data – user inputs and outputs aren’t used to train models
  • Zero data retention by default for enterprise deployments (no long‑term storage of your payloads)
  • Technical and administrative safeguards to protect data processed or stored on Parallel‑controlled infrastructure

3. Retention, residency, and “where does my data go?”

Most security questionnaires dig into three things: retention policy, data residency, and access controls.

From Parallel’s documentation:

  • Training & product usage

    • Parallel does not train on customer data.
    • Your requests and responses are not fed back into model training loops.
    • For sensitive research, this is a hard boundary vs consumer tools that treat user inputs as training data by default.

  • Retention behavior

    • For enterprise, Parallel enforces zero data retention by default.
    • Any temporary storage is tied to providing the service (e.g., processing a Task report) and not for building models.
    • Data may be used in aggregated or de‑identified form for business operations (e.g., system metrics), but not in a way that exposes customer IP.

  • Security controls

    • Parallel maintains administrative, physical, and technical safeguards to protect against accidental or unauthorized access, use, alteration, or disclosure of customer data handled by the services.
    • SOC 2 Type II attests that these controls are not only defined but audited over time.

  • Data residency

    • If you have geography‑specific requirements (e.g., EU‑only processing), raise this directly:
      • Ask: “Can you support data residency requirements for [region]?”
    • Parallel can work with enterprise teams to confirm whether your constraints can be met and document them in the MSA/DPA.

For most security reviews, those answers cover the core “Where is it stored?”, “Who can see it?”, and “Is it used to train your models?” sections.

How Parallel fits enterprise security reviews

Security and privacy are table stakes if you’re grounding agents in web data for regulated domains like legal, financial, or healthcare. Parallel is built for these use cases, not as a consumer browsing tool.

A few patterns that typically matter to reviewers:

  • SOC 2 Type II, not just marketing claims

    • The certification independently verifies that controls around data security, availability, and confidentiality are operating effectively over time.
    • This matters when your system has to defend decisions to auditors or regulators, not just an internal tech council.

  • Evidence‑based outputs by design

    • Parallel’s APIs (Search, Extract, Task, FindAll, Monitor, Chat) are optimized for agents instead of humans, with:
      • Token‑dense compressed excerpts
      • Structured JSON outputs
      • Citations, reasoning, and confidence scores via the Basis framework
    • This means every atomic fact your agent uses can carry provenance and calibrated confidence, which is exactly what risk teams want to see when they ask, “Can we audit this?”

  • Predictable economics instead of opaque token spend

    • Parallel emphasizes per‑request pricing (CPM: cost per 1,000 requests), not unbounded token‑metered browsing.
    • From a governance standpoint, that’s crucial—you know the cost of a workflow before it runs, and you’re not incentivizing agents to overspend on blind “browse and summarize” loops.

  • Processor architecture and configurable compute

    • Parallel’s Processor tiers (Lite/Base/Core/Pro/Ultra/Ultra8x) let you allocate more compute only when the task merits it, with clear latency bands:
      • Search: typically <5 seconds
      • Extract: 1–3 seconds cached; ~60–90 seconds for live crawls
      • Task: ~5 seconds to ~30 minutes, depending on depth
      • FindAll: ~10 minutes to 1 hour for large entity datasets
    • This is relevant in security reviews when you’re asked about latency under load and capacity planning—the architecture enforces predictable behavior instead of ad‑hoc scraping.

Typical security questionnaire answers (and where they come from)

If you’re filling out a vendor security assessment, these are common questions and how they map to Parallel’s documentation. You can pull most of this from the SOC 2 report and DPA once you receive them, but here’s the high‑level shape.

“Are you SOC 2 compliant?”

  • Answer: Yes, Parallel is SOC 2 Type 2 certified.
  • Evidence: Provide the latest report obtained from the account team or via NDA.

“Do you train on customer data?”

  • Answer: No. Parallel does not train on customer data.
  • User inputs and outputs are not used to train models.
  • This contrasts with many consumer‑facing tools where user data is used for training by default.

“What are your data retention policies?”

  • Answer: For enterprise deployments, Parallel enforces zero data retention by default.
  • Customer IP is not stored beyond what is necessary to provide the service, and not used to train models.
  • Aggregated or de‑identified data may be used for operational metrics.

“What technical safeguards do you maintain?”

  • Answer: Parallel implements commercially reasonable administrative, physical, and technical safeguards to protect against accidental or unauthorized access, use, alteration, or disclosure of customer data processed or stored on Parallel‑controlled infrastructure.
  • SOC 2 Type II provides independent verification that these controls are in place and operating over time.

“Can you meet our data residency requirements?”

  • Answer: Parallel works with enterprise customers to support data residency constraints, which should be clarified early in the evaluation.
  • Confirm requirements (e.g., EU processing only, specific cloud regions) with your Parallel contact; any commitments should be reflected in contractual documents.

How to structure your Parallel enterprise security review

To keep your review tight and predictable, this is the sequence I recommend as someone who’s been on the hook for shipping agents in regulated environments:

  1. Kickoff with product + security together

    • Loop in engineering, security, and legal early.
    • Share your intended use cases (e.g., legal research agent, financial monitoring pipeline, customer‑specific enrichment).

  2. Request core documents from Parallel

    • SOC 2 Type II report
    • Standard DPA
    • Any existing security whitepapers / architecture overviews
    • If needed, data residency clarification

  3. Align on data flows

    • What data will you send to Parallel? (URLs, content, PII, identifiers)
    • Which APIs will you use? (Search, Extract, Task, FindAll, Monitor, Chat)
    • Which Processor tiers and latency bands will apply to your workflows?

  4. Complete the security questionnaire

    • Use SOC 2 + DPA details to populate controls around access management, retention, and incident response.
    • Highlight that Parallel is SOC 2 Type II and does not train on customer data.

  5. Run a limited‑scope pilot

    • Constrain agents to Parallel tools only (e.g., Search + Task), no arbitrary browsing.
    • Verify that citations, rationale, and confidence via Basis are present in outputs your reviewers will see.

This structure gives your security team the artifacts they need while letting builders move ahead with a scoped proof of concept.

Next step: get your security docs in motion

If you’re ready to move from initial interest to a formal enterprise review:

  • Go to https://platform.parallel.ai/
  • Start building, then connect with the team through the available contact or support paths
  • Ask explicitly for:
    • SOC 2 Type II report
    • Standard DPA
    • Any additional documentation on retention and data residency

From there, your Parallel contact can route you to the right security and legal stakeholders so you can complete your enterprise review without slowing down your GEO, research, or production agent roadmap.

Next Step

Get Started

Back to RAG Retrieval & Web Search APIs

Keep Reading

More from RAG Retrieval & Web Search APIs

Parallel Chat API: how do I use the OpenAI-compatible streaming endpoint with web grounding and citations?

Read more

Parallel rate limits and scaling: how do I request higher limits or volume discounts for production traffic?

Read more

Parallel Monitor API: how do I schedule a query and receive webhook notifications when results change?

Read more