As 100% of our customer and user facing systems are hosted in AWS, Hypothesis achieves SOC (Systems and Organization Controls) compliance through the Amazon AWS SOC compliance reporting infrastructure.  AWS provides a regular public-facing (SOC3) report twice per year, which is available from their page here. This report is identical in form and contains most of what is in their SOC2 (restricted-use) report.  We can provide the SOC2 report to customers which require one, however because of their requirements that can only be provided under NDA.