Speakeasy security/procurement: where can I get SOC 2 Type II / ISO 27001 docs and an enterprise SSO + audit log checklist?
API Development Platforms

Speakeasy security/procurement: where can I get SOC 2 Type II / ISO 27001 docs and an enterprise SSO + audit log checklist?

7 min read

Quick Answer: Speakeasy is SOC 2 Type II and ISO 27001 certified, and our security / procurement documentation (including SSO and audit-log details) is available via our team on request as part of your evaluation or vendor review process.

Frequently Asked Questions

Where can I get Speakeasy’s SOC 2 Type II and ISO 27001 reports for security/procurement review?

Short Answer: Request them directly from the Speakeasy team as part of your security or procurement review. We share SOC 2 Type II and ISO 27001 documentation under NDA with qualified prospects and customers.

Expanded Explanation:
Speakeasy is independently audited and certified for SOC 2 Type II and ISO 27001. Those reports, plus related security collateral, are not publicly downloadable for obvious reasons (they contain detailed descriptions of our internal controls). Instead, we provide them through a controlled process so your security, compliance, and procurement teams can complete due diligence without friction.

You can reach out through your existing Speakeasy contact, our website contact/sales flow, or your customer success channel. Once an NDA is in place (if your org requires it), we’ll provide the latest SOC 2 Type II report, ISO 27001 certificate, and supporting answers to your security questionnaire.

Key Takeaways:

  • Speakeasy is SOC 2 Type II and ISO 27001 certified and will share reports under NDA.
  • Use your account team or the website contact form to kick off the security packet review.

How do I run a full security/procurement review of Speakeasy (including SSO and audit logs)?

Short Answer: Start by requesting the security package (SOC 2 Type II, ISO 27001, DPAs), then walk through enterprise features like SSO, RBAC, and audit logs with our team in a technical / security review call.

Expanded Explanation:
Security and governance for Speakeasy isn’t just a compliance checkbox; it’s built into how we generate and operate API and MCP interfaces. A thorough review usually combines documents (SOC 2 Type II, ISO 27001, data processing agreements) with a live walkthrough of how we handle identity, access control, logging, and deployment.

Your process will look like any other critical SaaS / infrastructure vendor review, but with a focus on: OAuth 2.1 support, SSO integration, role-based access control down to the tool level, full audit trails for every tool call, and optional self-hosting for teams that need tighter data isolation. Our team is used to working with security, compliance, and procurement stakeholders at Fortune 500-level organizations.

Steps:

  1. Kick off security review: Contact Speakeasy (or your account rep) asking for the security / compliance packet (SOC 2 Type II, ISO 27001, DPAs, HIPAA readiness details).
  2. Schedule a technical deep dive: Walk through auth (SSO + OAuth 2.1), RBAC, audit logs, and deployment options (hosted vs self-hosted) with our engineers.
  3. Complete questionnaires & approvals: Share your security questionnaire / vendor form; we’ll respond with mapped controls and any additional technical detail your security and procurement teams need.

How does Speakeasy’s security posture compare to building and hosting MCP/SDK infrastructure ourselves?

Short Answer: Running Speakeasy means you inherit audited, SOC 2 Type II and ISO 27001-certified controls, OAuth 2.1 with DCR + PKCE, and centralized audit logs, instead of building and maintaining all of that yourself.

Expanded Explanation:
Building an MCP server is easy. Securely scaling MCP and API interfaces across your org is hard. If you roll your own, you’re responsible for identity, auth, logging, incident response, and compliance audits across every tool and interface. That’s a lot of surface area: SDK pipelines, Terraform providers, CLIs, MCP servers, and Docs MCP—all with different lifecycles and potential drift.

Speakeasy starts from your OpenAPI spec and gives you tightly-governed outputs—SDKs, Terraform providers, CLIs, Docs MCP, and MCP servers—wrapped in a control plane that already matches the expectations of security and compliance teams. Instead of inventing your own OAuth flows and log pipelines, you plug into OAuth 2.1 (with DCR and PKCE), SSO, role-based permissions, sub-catalogs, and a full audit trail for every call.

Comparison Snapshot:

  • Option A: Build it yourself: Custom auth flows, custom logging, multiple teams re‑implementing controls, and you own the audit/compliance burden across all surfaces.
  • Option B: Use Speakeasy: SOC 2 Type II & ISO 27001 controls, unified OAuth 2.1 + SSO, RBAC, and audit trails “out of the box” for SDKs, CLIs, Terraform, Docs MCP, and MCP servers.
  • Best for: Teams who want “agent-ready” and API-native interfaces with enterprise security and compliance, without building and maintaining an entire governance platform internally.

How does Speakeasy support enterprise SSO, RBAC, and secure auth flows?

Short Answer: Speakeasy integrates with your SSO, standardizes on OAuth 2.1 with DCR + PKCE for servers, and exposes role-based permissions down to the server, toolset, and individual tool level.

Expanded Explanation:
For MCP Platform and the Speakeasy control plane, identity and auth are handled with the same rigor you’d expect from any core infrastructure provider. Every MCP server managed by Speakeasy can use OAuth 2.1 with dynamic client registration (DCR) and PKCE, even if your upstream provider doesn’t natively support those flows. That means agents and apps authenticate the way your security team expects, without custom auth plumbing per server.

On top of auth, Speakeasy lets you scope access precisely. Role-based permissions are available at multiple layers: server, toolset, and individual tool. You can carve out sub-catalogs so different teams, apps, and agents only see what they’re allowed to invoke. Combine this with SSO for human access, and you get a single model your security team can reason about and audit.

What You Need:

  • SSO / IdP details: Your identity provider configuration (e.g., Okta, Azure AD) and any required SSO policies.
  • Access model decisions: Which teams, agents, and apps should see which servers/toolsets/tools—and any separation requirements you have (e.g., prod vs non‑prod catalogs).

What audit logs and observability does Speakeasy provide for compliance and incident response?

Short Answer: Speakeasy provides a full audit trail—every tool call, permission change, and access event is logged and searchable—plus operational observability (logs, metrics, traces) across your MCP and API surfaces.

Expanded Explanation:
Governance isn’t real until you can answer “who did what, when, and with which tool?” Speakeasy tracks that by default. The MCP control plane gives you a full audit trail for every tool call, along with permission changes and access events. That means when an agent invokes a tool or an admin adjusts a role, there’s a record you can search and export to your existing SIEM workflows.

Beyond compliance-grade audit logs, Speakeasy is designed for day‑to‑day operations. You can “see every tool call, from request to response,” with real-time logs, distributed tracing, performance metrics, and usage analytics. That’s critical when you’re operating AI agents and API clients in production: debugging misbehaving tools, tuning token usage, and demonstrating control to auditors all depend on good observability.

Why It Matters:

  • Compliance-ready from day one: Full audit trail plus SOC 2 Type II and ISO 2701 certification means your security team starts with a strong baseline.
  • Operational clarity: Real-time logs, traces, and metrics make it easier to investigate incidents, prove least-privilege access, and tune behavior across SDKs, CLIs, Terraform, Docs MCP, and MCP tools.

Quick Recap

For security and procurement teams, Speakeasy is designed to feel familiar and reviewable: SOC 2 Type II and ISO 27001 certified, GDPR/CCPA compliant, HIPAA ready, and optionally self-hosted for stricter isolation. You can request our security packet (including SOC 2 Type II and ISO 27001 docs) directly from our team, then validate how enterprise SSO, OAuth 2.1 (with DCR + PKCE), RBAC, sub-catalogs, and full audit trails map to your internal requirements. Instead of building and operating all of that yourself for every SDK, CLI, Terraform provider, and MCP server, you plug into a unified control plane that’s already wired for governance, observability, and agent-ready APIs.

Next Step

Get Started

Back to API Development Platforms

Keep Reading

More from API Development Platforms

How can frontend and backend work in parallel if the API isn’t ready yet—can I mock realistic responses?

Read more

How do we deploy our first MCP server on Speakeasy MCP Platform and wire up OAuth 2.1 + SSO + RBAC?

Read more

Speakeasy + Arazzo workflows: how do we add multi-step contract tests (setup/teardown) to our pipeline?

Read more