SOC 2 Type II Certification

FacilityFlow's SOC 2 Type II report provides independent assurance that our security controls are designed effectively and operating as intended. Requested by enterprises worldwide, our SOC 2 certification demonstrates our commitment to security, availability, and confidentiality.

Schedule Security Review
SOC 2 Type II Certification

Understanding SOC 2 Certification


What is SOC 2?

  • SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy.
  • A SOC 2 Type II report is the most rigorous form of SOC 2 audit:
    • Type I vs Type II:
      • Type I: Evaluates control design at a specific point in time
      • Type II: Evaluates control design AND operating effectiveness over a period of time (typically 6-12 months)
  • FacilityFlow holds SOC 2 Type II certification, meaning our controls have been independently verified to work effectively over an extended period.

Why SOC 2 Matters for Your Organization?

  • Independent Verification: Our security claims are verified by qualified, independent auditors—not just our own assertions.
  • Continuous Monitoring: Type II audits examine controls over time, ensuring consistent security practices.
  • Industry Standard: SOC 2 is the most requested security certification for SaaS providers. It satisfies most enterprise vendor security requirements.
  • Trust Service Criteria: SOC 2 covers the five Trust Service Criteria, providing comprehensive assurance across multiple security domains.

Trust Service Criteria Covered

FacilityFlow's SOC 2 Type II report covers the following Trust Service Criteria:

Shield

Security

Included in the SOC 2 Report, this control ensures that information and systems are protected against unauthorized access, unauthorized disclosure, and damage through the implementation of strong logical and physical access controls, continuous system operations monitoring, structured change management processes, proactive risk mitigation practices, and secure encryption and key management mechanisms.

Global

Availability

Included in the SOC 2 Report, this control ensures that information and systems remain available for operation and use as committed or agreed by leveraging continuous system monitoring and alerting, well-defined disaster recovery procedures, regular backup and restoration testing, proactive capacity planning, and an effective incident response framework.

Confidentiality

Confidentiality

Included in the SOC 2 Report, this control ensures that information designated as confidential is protected as committed or agreed through formal data classification practices, encryption of data at rest and in transit, strict access restrictions, secure data disposal processes, and enforceable confidentiality agreements.

Integration

Processing Integrity

Available upon request, this control ensures that system processing is complete, valid, accurate, timely, and authorized through structured input validation, robust error handling mechanisms, systematic output reconciliation, and comprehensive quality assurance practices.

User

Privacy

Available upon request, this control ensures that personal information is collected, used, retained, disclosed, and disposed of in conformity with stated commitments through clear privacy notices and consent management, enforcement of data subject rights, defined data retention and disposal practices, and controlled disclosure procedures.

Audit Details

  • Audit Period: January 1, 2024 – December 31, 2024
  • Report Type: SOC 2 Type II
  • Auditor: [Audit Firm Name]
  • Criteria: Security, Availability, Confidentiality
  • Opinion: Unqualified (Clean Opinion)
  • Exceptions: None
  • Next Audit: Q1 2026 (continuous annual audits)

What the Report Contains:

  • Independent Auditor's Report: The auditor's opinion on the fairness of management's description and the suitability of control design and operating effectiveness.
  • Management's Assertion: FacilityFlow management's assertion regarding the description of the system and controls.
  • System Description: Detailed description of FacilityFlow's services, infrastructure, software, people, procedures, and data.
  • Trust Service Criteria: Controls Description of controls mapped to each Trust Service Criterion and the auditor's tests and results.
  • Other Information (if applicable): Any additional information provided by management.

Request Our SOC 2 Report

Our SOC 2 Type II report is available to current customers, prospective customers, and their auditors under NDA.

1

Submit Request

Complete the SOC 2 report request form with your company information and use case.

2

Sign NDA

SOC 2 reports contain sensitive security information. We require a standard mutual NDA before sharing.

3

Receive Report Description

Once the NDA is executed, you'll receive a secure link to download the current SOC 2 Type II report.

Loading...

SOC 2 FAQ

Additional Security Resources

📄 Security Whitepaper

Comprehensive overview of our security architecture

📄 Penetration Test Summary

Executive summary of our latest third-party penetration test (NDA required)

📄 Security Questionnaire (SIG Lite)

Pre-completed standardized security questionnaire

📄 Vendor Security FAQ

Common questions from security teams, pre-answered

🔗 Trust Center

Central hub for all security and compliance resources

Ready to Review Our SOC 2 Report?

Get independent verification of our security controls.

Schedule Security Review Call