SOC 2 and ISO 27001: Vendor Due Diligence for Proxy Providers

When an enterprise procurement team evaluates a proxy vendor for the first time, the questionnaire arrives before the technical conversation. SIG, CAIQ, SOC 2 Type II reports, ISO 27001 certificates, DPAs, sub-processor lists, insurance certificates, BCP and DR documentation, and penetration test summaries are all on the standard list. Proxy providers that have not built a security program geared for enterprise sales find themselves stuck in procurement for months.

This article describes what the major frameworks actually require, what enterprise buyers check, and the red flags experienced security teams use to disqualify vendors quickly.

The Frameworks, In Plain Terms

SOC 2 Type II

SOC 2 is an attestation produced by a licensed CPA firm under the AICPA's Trust Services Criteria. It is not a certification. A Type I report describes the design of controls at a point in time; a Type II report tests the operating effectiveness of those controls over a period of observation, typically six to twelve months. Enterprise buyers care about Type II, not Type I. A Type I report with no Type II follow-up is a red flag: it usually means the vendor passed the easier exam and never sat for the real one.

The Trust Services Criteria cover five areas: Security (always in scope), Availability, Processing Integrity, Confidentiality, and Privacy. A scoped SOC 2 report will list which criteria were tested. Proxy vendors selling to enterprises should be in scope for at least Security, Availability, and Confidentiality. Privacy is increasingly expected when EU customer data flows through the infrastructure.

When reviewing a SOC 2 Type II report, look at: the scope section (what systems and services are covered), the period covered (reports older than 15 months should raise questions about continuity), any exceptions noted by the auditor, and the subservice organizations listed. If the vendor uses a carve-out method for critical subservice organizations (like their cloud provider), verify that those subservice organizations have their own SOC 2 reports.

ISO/IEC 27001:2022

ISO 27001 is an international standard published by ISO and IEC for Information Security Management Systems. Unlike SOC 2, it is a certification issued by an accredited certification body after a two-stage audit. The 2022 revision of the standard restructured Annex A into four themes (Organizational, People, Physical, Technological) and reduced the control count from 114 to 93. Certifications under the 2013 version must transition to 2022 by October 31, 2025; a vendor still on the 2013 version in 2026 is either in transition or out of date.

ISO 27001 is more process-oriented than SOC 2. It requires a documented ISMS, a Statement of Applicability listing which Annex A controls apply, a risk treatment plan, internal audits, and management review. The audit checks that the system works, not that every technical control is implemented at a specific depth.

SOC 2 and ISO 27001 overlap in roughly 70% of their control coverage, and most mature vendors pursue both because US buyers default to SOC 2 and international buyers default to ISO 27001.

ISO/IEC 27017 and 27018

These are sector-specific extensions. 27017 covers cloud-specific controls; 27018 covers protection of personally identifiable information in public clouds. A proxy vendor operating on AWS, GCP, or equivalent should hold or reference these when selling to privacy-sensitive buyers.

The Security Questionnaires

SIG (Standardized Information Gathering)

Maintained by Shared Assessments, the SIG questionnaire comes in two forms. SIG Lite is roughly 130 questions covering a breadth of control areas at summary depth. SIG Core is roughly 1,000 questions that go to detail on every control family. Enterprises with formal TPRM programs typically send SIG Lite first and escalate to Core for Tier 1 vendors.

A proxy vendor should be able to return a completed SIG Lite within three business days and a SIG Core within ten. If the vendor takes longer, it usually means the answers are being invented rather than retrieved from an existing control library.

CAIQ (Consensus Assessments Initiative Questionnaire)

Published by the Cloud Security Alliance and aligned to the Cloud Controls Matrix (CCM v4), the CAIQ is roughly 260 yes/no questions with explanatory comments. It is lighter than SIG Core and specifically oriented to cloud services. Many buyers accept CAIQ responses registered in the CSA STAR registry as a first-pass control disclosure.

HECVAT

Higher Education Community Vendor Assessment Toolkit, used by universities and research institutions. Proxy vendors serving academic buyers will see this.

What Enterprise Buyers Actually Check

Buyers who know what they are doing spend their attention on a short list of high-signal items, not on every questionnaire response:

1. Subprocessor transparency: A complete list of subprocessors with purpose, location, and data categories. Vendors that decline to share a subprocessor list fail fast.
2. Data Processing Addendum: A DPA that references Standard Contractual Clauses (2021/914) for EU data transfers and commits to specific security measures.
3. Breach notification SLA: Most mature buyers want 24 or 48 hours from discovery, not 72.
4. Penetration test cadence: Annual third-party testing at minimum; quarterly internal testing; remediation SLAs for critical and high findings.
5. Access control: MFA on all privileged systems, least-privilege by default, quarterly access reviews, and session logging.
6. Logging and monitoring: Centralized log aggregation, retention of at least 12 months for security-relevant logs, and 24x7 monitoring.
7. BCP and DR: Documented RTO and RPO values, tested annually, with results available on request.
8. Insurance: Cyber liability insurance of at least $5 million for mid-market deals and $25 million or more for large enterprise deals.
9. Secure SDLC: Evidence of code review, SAST/DAST scanning, and dependency vulnerability management.
10. Incident history: Public disclosure of incidents in the past 24 months and remediation steps taken.

Red Flags

Experienced security teams disqualify vendors on the following signals, often during the first thirty minutes:

• SOC 2 Type I only, with no stated plan for Type II. Means the vendor never operated the controls long enough to test them.
• ISO 27001 certificate from an unaccredited body. Check the certifying body against the IAF accreditation database. Mill-type certification bodies issue paper certificates that accredited bodies will not recognize.
• Refusal to share the full SOC 2 report under NDA. A summary letter or bridge letter is not a substitute.
• Subprocessor list that omits the underlying network or whitelabel supplier. If the vendor resells another network's IPs and does not disclose it, every control claim is only as strong as the upstream provider.
• No documented abuse handling process or SLA for responding to compromise reports from IP space owners. This is specific to proxy providers and directly related to whether the vendor's network is harboring abuse.
• Shared credentials for privileged infrastructure. Root passwords in a password manager "for emergency access" is a hard stop.
• Logs stored on the same infrastructure they monitor. Defeats the point of logging for incident response.
• No change management beyond "we use GitHub pull requests." Acceptable for a startup; not acceptable for an enterprise claim of secure SDLC.
• Insurance certificates naming a broker but no actual policy. Ask for the declarations page.
• Legal entity located in a jurisdiction with no enforceable privacy regime when the vendor claims GDPR compliance.

A Proxy-Specific Control Set

Beyond the standard frameworks, proxy vendors should be asked about controls unique to their category:

• IP sourcing provenance: Where do the IPs come from? Owned /22 blocks with LOAs? Consent-based SDK supply? Upstream wholesale from another network?
• Abuse response: Documented time-to-action on abuse complaints from IP block owners, spamhaus-style reports, and law enforcement preservation requests.
• Traffic inspection: Does the provider inspect HTTPS payloads? Most reputable providers do not. Ones that do are operating a different product with different compliance implications.
• Retention of routed traffic metadata: Connection tuples, timestamps, session identifiers, bandwidth accounting. How long is it retained and under what circumstances is it accessed?
• Customer isolation: Is there meaningful separation between customers' egress traffic so that Customer A's usage cannot implicate Customer B's IP reputation?

How Hex Proxies Approaches This

Hex Proxies operates owned ISP infrastructure in Virginia with documented LOAs, maintains a SOC 2 Type II attestation covering Security, Availability, and Confidentiality criteria, and publishes an up-to-date subprocessor list. The compliance page links to current audit artifacts, our DPA template, and the breach notification SLA. Enterprise customers can request the full SOC 2 report, penetration test summary, and the latest SIG Lite response under mutual NDA.

Further Reading

• AICPA Trust Services Criteria (TSP section 100).
• ISO/IEC 27001:2022 standard and Annex A controls.
• Cloud Security Alliance CAIQ v4 and CCM v4.
• Shared Assessments SIG 2024 questionnaire.
• Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914.