Speakeasy security/procurement: where can I get SOC 2 Type II / ISO 27001 docs and an enterprise SSO + audit log checklist?
API Development Platforms

Speakeasy security/procurement: where can I get SOC 2 Type II / ISO 27001 docs and an enterprise SSO + audit log checklist?

7 min read

Security reviews stall when you can’t get the right docs or clear answers fast. This FAQ is for security, procurement, and engineering teams that need to understand how Speakeasy handles SOC 2 Type II, ISO 27001, SSO, RBAC, and audit logs—and where to get the paperwork you need to move an evaluation forward.

Quick Answer: Speakeasy is SOC 2 Type II and ISO 27001 certified, GDPR/CCPA compliant, and HIPAA ready. To request detailed reports, DPAs, and an enterprise SSO + audit log checklist, reach out via the Speakeasy contact form or your account team; they’ll provide the latest security package under NDA.

Frequently Asked Questions

Where can I get Speakeasy’s SOC 2 Type II and ISO 27001 documentation?

Short Answer: Speakeasy is SOC 2 Type II and ISO 27001 certified. You can request formal reports and attestations from the Speakeasy team, typically under NDA as part of your security review.

Expanded Explanation:
Speakeasy is built for teams with strict compliance requirements, including Fortune 500 organizations. The platform is independently audited for SOC 2 Type II and ISO 27001, and is designed with privacy and regulated data flows in mind (GDPR, CCPA, and HIPAA-ready capabilities). Because these reports contain sensitive details about internal controls, they’re not posted publicly.

To get the full package—SOC 2 Type II report, ISO 27001 certificate, data processing details, and any standard security questionnaires—you’ll typically go through your Speakeasy sales contact or a short intake via the website. From there, Speakeasy can share the latest versions, align on your review process, and handle legal (NDA, DPA/BAA) in parallel.

Key Takeaways:

  • Speakeasy is SOC 2 Type II and ISO 27001 certified, with independently audited controls.
  • Formal reports and certificates are available on request via sales/support and usually shared under NDA.

How do I start a security/procurement review with Speakeasy?

Short Answer: Start by contacting Speakeasy via the website or your account rep, indicating you’re initiating a security or procurement review. They’ll send you the current security packet (SOC 2, ISO, DPA/BAA info) and can complete your custom questionnaires.

Expanded Explanation:
Security and procurement reviews follow a predictable loop: you need compliance reports, data handling details, and clear answers about auth, RBAC, observability, and deployment options. Speakeasy is set up for this. Once you reach out, the team can provide a standard security package that includes compliance attestations, data flow explanations (including self-hosted deployment options), and coverage of features like OAuth 2.1, SSO, scoped access, and audit logging.

If your organization uses standardized questionnaires (e.g., CAIQ, internal vendor forms), Speakeasy’s team can complete those directly and loop in engineering for deeper technical questions—especially around MCP Platform, audit trails, and self-hosting.

Steps:

  1. Submit a request: Use the Speakeasy site contact form or talk to your sales/account representative and specify “security/procurement review.”
  2. Sign NDA (if needed): Execute a mutual NDA so Speakeasy can share SOC 2 Type II, ISO 27001, and detailed security docs.
  3. Exchange documents: Receive the security packet and send any internal questionnaires or policy requirements for completion.

How does Speakeasy’s security compare to typical in‑house API/MCP implementations?

Short Answer: Compared to most in-house setups, Speakeasy centralizes auth (OAuth 2.1 with DCR + PKCE), RBAC, and full audit logging across SDKs, CLIs, and MCP servers—often exceeding the governance and observability you get from a one-off self-hosted MCP or ad-hoc gateway.

Expanded Explanation:
Rolling your own SDKs, CLIs, or MCP servers is easy; hard mode is securing and governing them at scale. In many organizations, auth is bolted on per interface, RBAC is coarse (if present), and audit logs are scattered across services. Speakeasy’s model is “one API, many interfaces,” all governed through the same control plane and security posture.

From your OpenAPI spec, Speakeasy generates SDKs, Terraform providers, CLIs, and MCP servers, then layers standardized controls on top: OAuth 2.1, scoped access down to individual tools, and a full audit trail for every tool call. For AI/agent integrations, this is critical: agents behave like any other client and must be governed with the same rigor you’d apply to a production application.

Comparison Snapshot:

  • Option A: In‑house, ad‑hoc interfaces
    • Per-service auth patterns, inconsistent SSO.
    • Limited or no tool-level RBAC.
    • Logs spread across services, hard to correlate.
  • Option B: Speakeasy platform (API + MCP)
    • OAuth 2.1 with DCR and PKCE standardized across servers.
    • Role-based permissions at server, toolset, and individual tool level.
    • Full audit trail: every tool call, permission change, and access event searchable.
  • Best for: Teams that need to make APIs and MCP tools “agent-ready” with governed access, clear auditability, and compliance-ready controls—without building and maintaining all the plumbing themselves.

What SSO, RBAC, and audit log capabilities does Speakeasy provide for enterprise?

Short Answer: Speakeasy integrates with your existing SSO, standardizes OAuth 2.1 (DCR + PKCE) for every MCP server, supports granular RBAC (server/toolset/tool-level) with sub-catalogs, and logs every tool call and access event for a full audit trail.

Expanded Explanation:
Speakeasy treats security as a first-class workflow, not an afterthought. Every MCP server on the Speakeasy Platform gets OAuth 2.1 by default, even if your upstream APIs don’t support it. That means dynamic client registration and PKCE are baked in, and you can plug in your SSO provider rather than stitching together custom auth flows for each agent tool.

Access is scoped at multiple layers: server, toolset, and individual tool. You can create sub-catalogs so different teams or apps see only the tools they’re allowed to use. On top of that, Speakeasy maintains a full audit trail—every tool call, permission change, and access event is logged and searchable, so you can answer “who did what, when, and through which client” without scraping logs from multiple systems.

What You Need:

  • SSO integration details: Your identity provider configuration (e.g., SAML/OIDC) and any org-specific SSO requirements for admins, developers, and agents.
  • Access model definition: Which teams, agents, and applications should see which MCP servers and toolsets, plus any constraints that require sub-catalogs or fine-grained RBAC.

How does Speakeasy handle data protection, self‑hosting, and regulated workloads (e.g., HIPAA, GDPR)?

Short Answer: Speakeasy is GDPR and CCPA compliant, HIPAA ready (with BAAs and PHI isolation), and offers self-hosted deployment with private networking so you can keep data inside your own infrastructure while still using the same OpenAPI-native workflow.

Expanded Explanation:
For many organizations, the security/procurement question isn’t just “Are you SOC 2?” but “Where does data live, and can we keep it within our boundary?” Speakeasy addresses this in three layers:

  • Compliance & privacy: SOC 2 Type II and ISO 27001 certified, GDPR and CCPA compliant with data processing agreements available, plus user data deletion and privacy-by-design principles.
  • Healthcare/regulated data: HIPAA-ready with Business Associate Agreements (BAAs) for healthcare organizations, and PHI isolation with encryption at rest and in transit.
  • Deployment flexibility: A self-hosted deployment option lets you run Speakeasy on your own infrastructure, with VPC peering and private networking to maintain complete data isolation while still leveraging generated SDKs, Terraform providers, CLIs, and MCP servers.

This combination means you can bring Speakeasy into environments with strict data residency, healthcare privacy, or internal cloud boundary requirements, while still getting the “generate from OpenAPI and ship with every commit” workflow.

Why It Matters:

  • Impact on approval: Clear answers on data residency, encryption, and regulated data handling (HIPAA, GDPR/CCPA) dramatically shorten security and procurement timelines.
  • Impact on architecture: Self-hosting and private networking allow you to adopt Speakeasy without breaking existing compliance or network-segmentation constraints.

Quick Recap

Speakeasy is built for teams that need to move fast on API and MCP interfaces without compromising on security or compliance. It’s SOC 2 Type II and ISO 27001 certified, GDPR/CCPA compliant, HIPAA ready, and supports self-hosted deployments with private networking. On the operational side, Speakeasy standardizes OAuth 2.1 (with DCR + PKCE), integrates with your SSO, enforces RBAC down to the individual tool, and maintains a full audit trail so you can see every tool call, permission change, and access event. For security and procurement teams, all the core artifacts—SOC 2 Type II, ISO 27001, DPAs, BAAs, and detailed SSO/audit-log answers—are available via a structured review process.

Next Step

Get Started

Back to API Development Platforms

Keep Reading

More from API Development Platforms

How can frontend and backend work in parallel if the API isn’t ready yet—can I mock realistic responses?

Read more

How do we deploy our first MCP server on Speakeasy MCP Platform and wire up OAuth 2.1 + SSO + RBAC?

Read more

Speakeasy + Arazzo workflows: how do we add multi-step contract tests (setup/teardown) to our pipeline?

Read more