If you’re interested in Elicit for enterprise or institutional use, reach out to us at [email protected] for more information regarding our security, or to request a copy of our SOC 2 Type II report under NDA.
Elicit Achieves SOC 2 Type II Compliance
We built Elicit from the ground up to transform the research process, allowing teams to save countless hours by automating systematic reviews, data extractions, and other critical workflows with AI.
From day one, we focused on trust — eliminating hallucinations, providing robust citations, and extracting structured insights from papers — so that researchers using our platform know their results are rooted in ground truth.
That same commitment to trust extends to how we safeguard your data. Whether proprietary documents or sensitive search histories, you can be confident your information stays private and secure.
To that end, we have worked for the last several months to achieve SOC 2 Type II compliance, the gold standard [reference 1] for companies in the SaaS space. This is by no means the end of our journey towards greater security, but it does represent a significant step forward and ensures we can continue to best support our growing community of enterprise customers who rely on Elicit for speed, ease of use, and security.
So What Is SOC 2?
SOC stands for System and Organization Controls. The important designation here is Type II.
With Type I, the focus is on whether the controls are designed correctly; it’s a snapshot in time, essentially asking: was the security of this system designed well?
But Type II is much more comprehensive, looking at the ongoing operations of a company to ensure that security is handled correctly on a continuous basis. It is not just asking whether the system was designed well, but whether it actually operates well, too.
SOC 2: So What?
SOC 2 is not a badge — it’s a key. It shortens security reviews, clears procurement blockers, and greenlights deployment. As your collaboration scales on our platform, the question becomes: can we trust Elicit with our data? SOC 2 is our independent, ongoing answer: yes.
Use it to move faster inside your org. If you are championing Elicit, this is the certification your security team needs. Share the report, pass the security review, and keep the momentum going with your team.
Research-Specific Security Features
Elicit is a different kind of AI tool, and it is important to us to have security features specific to the kind of work our users engage in every day.
Our core AI safety approach:
Elicit takes a systematic, transparent, and unbounded approach to AI safety; we use a compositional approach rather than end-to-end black box models.
Problematic content is automatically filtered, including retracted papers.
Multiple AI models check answers, and confidence is only indicated when multiple models agree; this also helps mitigate bias.
How our security measures specifically protect your research data:
Elicit enforces strict authentication controls to limit access to customer data, including your research data. We run regular penetration tests and vulnerability scans to ensure that any issues are being remediated promptly.
We explicitly do not train on Enterprise user data, and have agreements with third-party providers (like OpenAI) that prevent them from doing so either.
Data is encrypted in transit and at rest, and intrusion detection systems (AWS GuardDuty and Cloudflare WAF) provide continuous monitoring for unauthorized access.
Data is backed up daily to minimize any potential data loss.
How we handle sensitive academic or corporate research materials:
All user-uploaded documents and research projects receive the highest level of safeguards. We encrypt such data in transit and at rest using TLS 1.2+ and AES-256-GCM encryption.
Customer data resides in AWS RDS with multi-zone replication and daily backups, ensuring durability and resilience against data loss.
Enterprise customers have single-tenancy with dedicated, logically isolated AWS clusters to ensure complete tenant separation.
Enterprise customer data is never co-mingled with other organizations and remains fully encrypted in transit and at rest, with key management handled through AWS KMS.
How we implement privacy controls for collaborative research between users:
Users have flexible options for controlling the visibility of reports created in Elicit. Reports can remain private, be shared as view-only links, made discoverable in search engines, or opened for direct collaboration with invited contributors. These settings give users fine-grained control over how their research outputs are shared and who can access them.
Individual users are able to add additional security to their account with MFA, and SAML 2.0 SSO is supported for larger organizations.
Ongoing Commitment
Achieving SOC 2 is a major milestone, but it represents just one step in our ongoing commitment to protecting user information. As Elicit continues to grow and to develop new and more powerful features, we will also continuously upgrade and refine our security and privacy architecture [reference 2]. That journey will be public, and anyone interested in learning more about Elicit’s security can visit our Trust Center.
—
If you’re interested in Elicit for enterprise or institutional use, reach out to us at [email protected] for more information regarding our security, or to request a copy of our SOC 2 Type II report under NDA.
References
While “gold standard” is common language for companies to refer to SOC 2 in public announcements like this, it’s more properly understood as “an independent attestation engagement (AT-C 205) performed by a licensed CPA firm under the AICPA’s SOC framework and Trust Services Criteria (TSC)”. That doesn’t quite roll off the tongue the same way, though…
In fact, by the time you’re reading this, some of the things here may already have been upgraded and be out of date. Caveat lector.
