SOC 2
SOC 2 (Service Organization Control 2) is the standard trust report for B2B SaaS providers. We're working toward SOC 2 Type II certification.
Current status
| Milestone | Status |
|---|---|
| Controls framework defined | ✓ Complete |
| Internal observation period start | Q2 2026 |
| Type I report (point-in-time) | Targeted Q4 2026 |
| Type II report (operating-effectiveness over 6+ months) | Targeted Q1 2027 |
A Type I report attests that the controls were designed correctly at a moment in time. A Type II report attests they actually operated correctly across a multi-month observation period. Type II is what most procurement teams ultimately want.
Scope
The controls in scope cover:
| Trust Services Criterion | What it covers |
|---|---|
| Security | Access control, encryption, vulnerability management, incident response |
| Availability | License-server uptime, update channel reliability, Cloud Backup operational continuity |
| Confidentiality | Customer data protection (your .solid files we don't have, and the ones you elect to back up via managed B2) |
| Processing Integrity | Double-entry validation, audit-log immutability, no silent data alteration |
| Privacy | Personal-data handling under GDPR / CCPA — see GDPR compliance |
We're scoping to all five Trust Services Criteria from the start rather than just Security; that's the more rigorous (and more useful) certification.
What customers get from this
When SOC 2 Type II lands:
- A signed report you can share with your procurement / IT-risk team
- Annual re-attestation thereafter
- The right to use Solid Accounting in environments that require SOC 2 attestation from vendors
In the meantime: our Security whitepaper describes the same controls in detail. Most of what's there will be exactly what the SOC 2 report formalizes.
How to get the report (when available)
We don't publish SOC 2 reports openly because they contain operational detail (specific control descriptions, dates of observation periods, names of personnel) that isn't useful to non-customers and could be misused.
After Type I lands:
- Email
security@solidaccounting.comwith your name, company, and intended use - We send you the report under a one-page non-disclosure (we're not picky about NDAs — standard reciprocal terms)
- Turnaround: same business day
What about CSA STAR, ISO 27001, FedRAMP
- CSA STAR Level 1 (self-attestation) — likely after SOC 2 Type II ships
- CSA STAR Level 2 (third-party assessment) — under consideration; demand-dependent
- ISO 27001 — under consideration if customer demand warrants
- FedRAMP — not applicable; Solid is desktop software, not a SaaS service. The license server has SaaS-y characteristics but doesn't process customer data; FedRAMP scoping wouldn't fit.
Cross-references
- Compliance overview — full compliance status table
- Security whitepaper — technical detail behind the controls
- GDPR compliance — privacy leg of SOC 2 also covered there