Security & Trust | Meet the Moment

SOC 2 Type 2 Attested

Independently verified security controls — not a self-assessment.

What This Means

A SOC 2 Type 2 audit is an independent examination by a licensed CPA firm under AICPA standards. Unlike a point-in-time assessment, a Type 2 report evaluates whether security controls are consistently followed over time. Our audit covered a full quarter and resulted in a clean opinion with no deviations noted.

Auditor: MJD Advisors

Period: Oct 1 – Dec 31, 2025

Opinion: Clean (no deviations)

Incidents: None during audit period

Trust Service Criteria

Our audit covered two of the five AICPA trust service categories.

✓

Security

The system is protected against unauthorized access — both physical and logical. Includes access controls, network monitoring, change management, incident detection and response, and ongoing risk assessment.

✓

Confidentiality

Information designated as confidential is protected as committed. Includes data classification, access restrictions, secure disposal, and confidentiality commitments in all agreements.

Our Security Commitments

Independently verified controls across six key areas.

Encryption

Data encrypted in transit (TLS 1.2+) and at rest across all cloud platforms.

Multi-Factor Auth

MFA required for all systems. No shared accounts. Least privilege access.

Continuous Monitoring

Security event logging, anomaly detection, and regular audit trail review.

Incident Response

Documented procedures, defined roles, communication protocols, and post-incident review.

Vendor Management

Third-party risk assessment, SOC report review, and contractual security requirements.

Change Management

Testing, approval, and rollback procedures for all system changes.

AI Transparency

We use AI tools in our work — and we're transparent about it.

Our AI Tools & Practices

MTM uses AI to enhance our advisory services. All AI-assisted communications are disclosed. Client meeting recording requires explicit consent and can be revoked at any time. AI tools operate under enterprise licenses with data controls — client data is never used to train models.

Fathom.video — Meeting transcription & summarization (HIPAA compliant, SOC 2 Type II)
Claude Teams (Anthropic) — Analysis, research, writing (GDPR compliant)
Google NotebookLM & Gemini — Research & productivity (HIPAA via BAA, GDPR compliant)

Our full AI Tools Disclosure is available upon request or at mtm.now.

Privacy & Data Handling

How we handle the information entrusted to us.

Advisory model: MTM does not typically host, process, or store client PII/PHI. We provide strategic guidance and access client systems as needed under defined agreements.
Confidentiality: All client engagements are governed by confidentiality agreements. Information shared during advisory work is never disclosed without permission.
Data minimization: We collect and retain only the information necessary for effective advisory services.
Meeting recordings: Require explicit client consent. Clients can revoke consent or request deletion at any time.
Access controls: Client system access follows least privilege principles and is promptly deprovisioned when engagements conclude.
Vendor diligence: All tools and platforms used in our work are evaluated for security and privacy practices.

Request the Full SOC 2 Report

The complete SOC 2 Type 2 report is available to current and prospective clients, partners, and qualified parties under a non-disclosure agreement.

Request Report Or email info@mtm.now with the subject "SOC 2 Report Request"