Kaltura achieves SOC 2 type II certification, with a first-of-its-kind AI audit 

For the third consecutive year, Kaltura is proud to announce we’ve successfully renewed our SOC 2 Type II certification, audited by Ernst & Young (EY), one of the “Big Four” accounting firms. But this year, we went further than ever before, becoming the first organization worldwide audited by EY to include AI governance in our SOC 2 audit. 

What is SOC 2 and why is it important? 

Developed by the American Institute of CPAs (AICPA), SOC 2 is one of the most rigorous and respected standards that provides a framework for evaluating and auditing information security and privacy. It evaluates how well an organization implements controls for the five Trust Services Criteria: 

1. 1. Security 
   2. Availability 
   3. Processing integrity 
   4. Confidentiality 
   5. Privacy 

Implementing all five SOC 2 Trust Service Criteria demonstrates a holistic security and compliance posture that not only meets industry standards but also builds stronger customer trust, accelerates vendor approvals, and provides a competitive edge in regulated markets. 

SOC 2 Type II is the more stringent version of the certification. While Type I looks at the design of controls at a single point in time, Type II examines whether those controls are functioning effectively over a long period, typically a full year. 

“This isn’t just about having a policy document sitting in a drawer,” says Shai Sivan, Kaltura’s VP of Technology, Cybersecurity, and Privacy. “To pass Type II, you must demonstrate that your processes are actually being implemented securely and continuously across the organization.” 

Going beyond: AI governance in scope 

In 2025, Kaltura added AI governance into the SOC2 certification, a move that sets a new industry precedent. 

“We wanted to check any security box a customer or industry might require,” Sivan explains. “SOC 2 didn’t previously include AI, but EY defined a new set of controls to ensure responsible, secure, and transparent use of AI across our products and internal processes.” 

This means our customers can trust not only our handling of sensitive data, but also our approach to secure AI: how it’s implemented, how it’s trained, and how it’s governed. 

Full-spectrum audit: No corners cut 

SOC 2 audits allow organizations to choose which domains and controls to include, with a minimum of three Trust Services Criteria. At Kaltura, we chose all five: Security, Availability, Processing Integrity, Confidentiality, and Privacy, and insisted on a full-scale audit covering more than 100 controls, including:
 

• Secure software development practices 

• Vendor onboarding and offboarding 

• Employee and contractor background checks 

• Risk assessments and executive oversight 

• System monitoring and incident response 

• HR policies and training 

• Physical and logical access controls 

• AI governance and usage protocols 

“We wanted EY to test us on every possible control that’s relevant to our business. That’s how confident we are in our security posture,” Sivan said. 

What the audit process involved 

Achieving SOC 2 Type II certification is no small feat. It requires a cross-organizational effort and months of meticulous preparation. 

• 35 team members from departments including R&D, DevOps, IT, HR, Finance, and Security contributed to the audit 

• Over a month and a half was spent collecting and preparing evidence 

• EY reviewed a random sample of over 10,000 pull requests to validate secure coding practices 

• Evidence had to be timestamped and linked to real production activity 

• A full-day, on-site audit was followed by 2.5 weeks of further analysis and validation 

“All of our systems, partners, vendors, and internal processes were reviewed, from how we hire people to how we decommission tools. It’s incredibly detailed,” Sivan emphasized. 

Customer trust, validated 

So, what does all this mean for Kaltura’s customers? 

In a word: trust. 

“SOC 2 helps remove the guesswork,” Sivan explains. “It’s one thing for a sales rep to say we’re secure. It’s another thing to hand over an independently verified, industry-standard report that proves it.” 

For industries where data sensitivity is paramount, such as banking, healthcare, government, education, and Fortune 500 enterprises, SOC 2 is often a mandatory requirement. It clears a major compliance hurdle for Kaltura and gives our customers the peace of mind that their data is in safe hands. 

Continuous improvement and looking ahead 

SOC 2 certification is not a one-time event. It must be renewed annually, with each audit evaluating real data and behavior from the previous year. That means Kaltura must continuously uphold and improve its practices. 

“Customers won’t expect us to do the same 100 controls next year,” Sivan says. “They will expect 115 controls. This is our main GRM manager, Matan Rotshtein‘s goal: to keep pushing us to improve. Security is a moving target, and we’re committed to staying ahead.” 

On top of SOC 2 and existing ISO certifications (ISO27001:2022, ISO22301, ISO27701,ISO27799)  Kaltura is preparing for its next milestone: the new ISO 42001 certification for AI governance, scheduled for December 2025. 

Final word: Security is a company-wide mindset 

Perhaps the biggest takeaway from our SOC 2 journey is that security isn’t just an IT function. It’s a cultural mindset that needs to be adopted across an organization. 

“You can’t pass this audit unless your entire company thinks security,” Sivan concludes. “From developers to HR, everyone needs to act securely, consistently. We don’t fear audits, we are ready for our auditors’ most stringent controls.” 

Kaltura’s SOC 2 Type II certification is more than a badge. It’s a reflection of our ongoing investment in protecting our customers, enabling our innovation in AI, and staying accountable in everything we do.