Context.ai – SoC 2 Type II Report by Delve

- SSAE 21 – SOC 2 Type II Report - Explore Interfaces - For the Period April 2, 2025 - July 2, 2025 - ________________ - Table of Contents - SECTION 1 3 - Independent Service Auditor’s Report 3 - SECTION 2 8 - Management Assertion 8 - SECTION 3 11 - System Description 11 - Principal Service Commitments and System Requirements 13 - Description of Control Environment, Control Activities, Risk Assessment, Monitoring, and Information and Communication 14 - SECTION 4 30 - Applicable Trust Services Criteria and Related Controls 31 - Tests of Controls and Results of Tests 59 - SECTION 5 82 - Other Information Provided by Context 82 - ________________ - SECTION 1 - Independent Service Auditor’s Report - ________________ - Independent Service Auditor’s Report - To: Management of Explore Interfaces - Scope - We have examined the attached Explore Interfaces description of the system titled “Automating Information Work” (description) throughout the period April 2, 2025 - July 2, 2025 included in Section 3, based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria) and the suitability of the design and operating effectiveness of controls included in the description throughout the period April 2, 2025 - July 2, 2025 to provide reasonable assurance that Context service commitments and system requirements would be achieved based on the trust service criteria for Security set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria). - The information included in Section 5, “Other Information Provided by Context” is presented by management of Context to provide additional information and is not a part of Context description of its system made available to user entities during the period April 2, 2025 - July 2, 2025. Information about Context business continuity planning etc. has not been subjected to the procedures applied in the examination of the description of the system and of the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description of the system. - The description indicates that certain applicable trust services criteria specified in the description can be achieved only if complementary user-entity controls contemplated in the design of Context controls are suitably designed and operating effectively, along with related controls at the service organization. Our examination did not extend to such complementary user entity controls, and we have not evaluated the suitability of the design or operating effectiveness of such complementary user-entity controls. - As indicated in the description, Context uses subservice organization Vercel for data center services. The description in Section 3 includes only the controls of Context and excludes controls of the various subservice organizations. The description also indicates that certain trust services criteria can be met only if the subservice organization’s controls, contemplated in the design of Context controls, are suitably designed and operating effectively along with related controls at the service organization. Our examination did not extend to controls of various subservice organizations for data center services. - Service Organization's Responsibilities - Context is responsible for its service commitments and system requirements and for designing, implementing, and operating effective controls within the system to provide reasonable assurance that the service commitments and system requirements were achieved. - Context has provided the accompanying assertion titled, Management of Context Assertion (Assertion) about the presentation of the Description based on the Description Criteria and suitability of the design and operating effectiveness of the controls described therein to provide reasonable assurance that the service commitments and system requirement would be achieved based on the applicable trust services criteria if operating effectively. Context is responsible for (1) preparing the Description and Assertion; (2) the completeness, accuracy, and method of presentation of the Description and Assertion; (3) providing the services covered by the Description; (4) identifying the risks that would threaten the achievement of the service organization’s service commitments and system requirements; and (5) designing, implementing, and documenting controls that are suitably designed and operating effectively to meet the applicable trust services criteria stated in the Description. - Service Auditor's Responsibilities - Our responsibility is to express an opinion on the presentation of the description based on the description criteria set forth in Context assertion and on the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the description is presented in accordance with the description criteria and (2) the controls are suitably designed and operating effectively to meet the applicable trust services criteria stated in the description throughout the period April 2, 2025 - July 2, 2025. - Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the description based on the description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable trust services criteria. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable trust services criteria. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable trust services criteria were met. Our examination also included evaluating the overall presentation of the description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion. - Inherent Limitations - The description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. Because of their nature, controls at a service organization may not always operate effectively to meet the applicable trust services criteria. Also, conclusions about the suitability of the design and operating effectiveness of the controls to meet the applicable trust services criteria are subject to the risks that the system may change or that controls at a service organization may become ineffective. - Opinion - In our opinion, in all material respects, based on the description criteria described in Context assertion and the applicable trust services criteria: - 1. The description fairly presents the system that was designed and implemented throughout the period April 2, 2025 - July 2, 2025. - 2. The controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively throughout the period April 2, 2025 - July 2, 2025, and the subservice organization and user entities applied the controls contemplated in the design of Context controls throughout the period April 2, 2025 - July 2, 2025. - 3. The controls operated effectively to provide reasonable assurance that the applicable trust services criteria were met throughout the period April 2, 2025 - July 2, 2025, and user entities and subservice organization applied the controls contemplated in the design of Context controls, and those controls operated effectively throughout the period April 2, 2025 - July 2, 2025. - Description of Test of Controls - The specific controls we tested, and the nature, timing, and results of our tests are presented in section 4 of our report titled "Independent Service Auditors' Description of Test of Controls and Results." - Restricted Use - This report, including the description of controls and results thereof in Section 4 of this report, is intended solely for the information, and use of Context; user entities of Context systems during some or all of the period April 2, 2025 - July 2, 2025; and those prospective user entities, independent auditors and practitioners providing services to such user entities, and regulators who have sufficient knowledge and understanding of the following: - * The nature of the service provided by the service organization - * How the service organization’s system interacts with user entities, subservice organizations or other parties - * Internal control and its limitations - * User entity responsibilities, Complementary user-entity controls and how they interact with related controls at the service organization to meet the applicable trust services criteria - * The applicable trust services criteria - * The risks that may threaten the achievement of the applicable trust services criteria and how controls address those risks - This report is not intended to be and should not be used by anyone other than these specified parties. - PAC-FIRM-LIC-47383 - ________________ - SECTION 2 - Management Assertion - ________________ - Assertion by Management of Explore Interfaces - July 2, 2025 - We have prepared the accompanying description of Explore Interfaces, system titled “Automating Information Work” throughout the period April 2, 2025 - July 2, 2025(description), based on the criteria set forth in the Description Criteria DC Section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (description criteria). - The description is intended to provide users with information about the “Automating Information Work” that may be useful when assessing the risks arising from interactions with Explore Interfaces system, particularly information about the suitability of design and operating effectiveness of Explore Interfaces controls to meet the criteria related to Security, Availability, Processing Integrity, Confidentiality and Privacy set forth in TSP Section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy (applicable trust services criteria). - Explore Interfaces uses Vercel as a subservice organization. The description in Section 3 includes only the controls of Explore Interfaces and excludes controls of the various subservice organizations. The description also indicates that certain trust services criteria can be met only if the subservice organization’s controls, contemplated in the design of Explore Interfaces controls, are suitably designed and operating effectively along with related controls at the service organization. Our examination did not extend to controls of various subservice organizations for data center services. - The description also indicates that certain trust services criteria specified in the description can be met only if complementary user entity controls contemplated in the design of Explore Interfaces controls are suitably designed and operating effectively, along with related controls at the service organization. The description does not extend to controls of user entities. - We confirm, to the best of our knowledge and belief, that - 1. the description fairly presents the “Automating Information Work” the period April 2, 2025 - July 2, 2025 , based on the following description criteria: - i. The description contains the following information: - 1. The types of services provided - 2. The components of the system used to provide the services, which are as follows: - 1. Infrastructure. The physical structures, IT, and other hardware (for example, facilities, computers, equipment, mobile devices, and other telecommunications networks). - 2. Software. The application programs and IT system software that support application programs (operating systems, middleware, and utilities). - 3. People. The personnel involved in the governance, operation, and use of a system (developers, operators, entity users, vendor personnel, and managers). - 4. Procedures. The automated and manual procedures. - 5. Data. Transaction streams, files, databases, tables, and output used or processed by the system. - 3. The boundaries or aspects of the system covered by the description. - 4. For information provided to, or received from, subservice organizations or other parties, - 1. How such information is provided or received and the role of the subservice organization and other parties and - 2. The procedures the service organization performs to determine that such information and its processing, maintenance, and storage are subject to appropriate controls. - 5. The applicable trust services criteria and the related controls designed to meet those criteria, including, as applicable, the following: - 1. Complementary user entity controls contemplated in the design of the service organization’s system. - 2. When the inclusive method is used to present a subservice organization, controls at the subservice organization - 6. If the service organization presents the subservice organization using the carveout method, - 1. The nature of the services provided by the subservice organization and - 2. Each of the applicable trust services criteria that are intended to be met by controls at the subservice organization, alone or in combination with controls at the service organization, and the types of controls expected to be implemented at carved-out subservice organizations to meet those criteria. - 7. Any applicable trust services criteria that are not addressed by a control at the service organization or a subservice organization and the reasons. - 8. In the case of a type 2 report, relevant details of changes to the service organization’s system during the period covered by the description. - ii. The description does not omit or distort information relevant to the service organization’s system while acknowledging that the description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the system that each individual user may consider important to his or her own particular needs. - 2. the controls stated in the description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated as described and if u