What Is SOC 2 Type II?
SOC 2 (System and Organization Controls 2) is a security framework developed by the American Institute of CPAs (AICPA). A Type II certification means an independent auditor has verified that our security controls were not just in place — they operated effectively over a sustained period (typically 6–12 months).
This matters because it's the difference between "we say we're secure" and "a third party verified we were secure, over time."
What the Audit Covers
Our SOC 2 report covers the five Trust Services Criteria:
Security — Systems are protected against unauthorized access (physical and logical).
Availability — Systems are available for operation as agreed. Our SLA commits to 99.9% uptime.
Processing Integrity — System processing is complete, accurate, timely, and authorized.
Confidentiality — Information designated as confidential is protected as agreed.
Privacy — Personal information is collected, used, retained, and disclosed in conformity with our privacy policy.
Controls We Operate
- Encryption in transit and at rest — All data is encrypted with TLS 1.2+ in transit and AES-256 at rest
- Access control — Least-privilege access for all employees; production access requires MFA and is logged
- Vulnerability management — Automated scanning on every deploy; penetration test annually
- Incident response — Documented runbooks, on-call rotations, and a 24-hour breach notification commitment
- Vendor management — All third-party vendors are assessed before onboarding and reviewed annually
Requesting the Report
Our full SOC 2 Type II report is available to enterprise customers and prospects under NDA. Contact us to request a copy.