> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abv.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SOC 2 Type II Certification

> Independent audit of ABV's security controls over time

<Check>
  ABV maintains an **active SOC 2 Type II certification**, demonstrating that our security, availability, and confidentiality controls have been independently audited and verified to operate effectively over time. This is a real certification, not just alignment or best practices.
</Check>

# What is SOC 2 Type II?

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that store or process customer data.

<Info>
  SOC 2 Type II examines both the design and operating effectiveness of security controls over a minimum 6-month audit period, providing evidence that controls work consistently over time.
</Info>

SOC 2 is based on five Trust Service Principles:

* **Security** (mandatory): Protection against unauthorized access, both physical and logical
* **Availability**: System uptime and operational performance
* **Processing Integrity**: Complete, valid, accurate, timely, and authorized processing
* **Confidentiality**: Protection of confidential information
* **Privacy**: Collection, use, retention, and disposal of personal information

ABV's SOC 2 Type II certification covers Security, Availability, and Confidentiality.

# SOC 2 Type II vs Type I

The key difference between Type I and Type II audits:

* **Type I**: Evaluates security controls at a single point in time
* **Type II**: Evaluates controls over a 6-12 month period, testing that they operate effectively throughout

Type II provides stronger assurance because it validates that security controls function consistently over time, not just on a specific audit date.

# ABV's SOC 2 Type II Certification Status

<Info>
  **Certification Details**:

  * **Standard**: SOC 2 Type II (not Type I)
  * **Trust Service Criteria**: Security, Availability, and Confidentiality
  * **Audit Period**: Minimum 6 months of continuous operation testing
  * **Auditor**: Independent third-party CPA firm
  * **Renewal**: Annual audit with continuous monitoring
  * **Availability**: Report available to Pro and Enterprise customers under NDA
</Info>

# ABV's SOC 2 Type II Controls

Our SOC 2 Type II audit validates controls across multiple domains:

## Security Controls

* **Access Control**: Multi-factor authentication, role-based access, principle of least privilege
* **Encryption**: TLS 1.2+ in transit, AES-256 at rest [Learn more](/security/security/encryption)
* **Network Security**: Firewalls, intrusion detection, DDoS protection
* **Vulnerability Management**: Continuous scanning, annual penetration tests [Learn more](/security/security/penetration-testing)
* **Incident Response**: 24/7 monitoring, defined escalation procedures [Learn more](/security/security/incident-breach)

## Availability Controls

* **High Availability Architecture**: Multi-AZ deployment in AWS with automatic failover
* **Backup and Recovery**: Automated encrypted backups with cross-region replication
* **Monitoring**: Real-time system health monitoring with alerting
* **Capacity Management**: Resource planning and scalability testing
* **Status Transparency**: Public status page at [status.abv.dev](https://status.abv.dev)
* **Regional Flexibility**: Custom deployments available in most AWS regions for specific compliance needs

## Confidentiality Controls

* **Data Segregation**: Customer data isolated using logical controls
* **Secure Development**: Security-focused SDLC with code review and testing
* **Personnel Security**: Background checks, security training, NDA requirements
* **Secure Disposal**: Cryptographic erasure and secure deletion procedures
* **Vendor Management**: Third-party security assessments and contractual requirements

# What ABV's SOC 2 Certification Means

## What It Confirms

<Check>
  * **Independent Verification**: A third-party auditor has tested our controls over 6+ months
  * **Operational Effectiveness**: Controls don't just exist on paper - they work in practice
  * **Continuous Compliance**: Not a point-in-time assessment, but sustained operation
  * **Risk Reduction**: Reduced security risk for customers using ABV's platform
  * **Due Diligence Support**: Satisfies most vendor security assessment requirements
</Check>

## What It Doesn't Mean

<Warning>
  SOC 2 certification of ABV does NOT mean:

  * Your own systems are SOC 2 compliant by using ABV
  * You can claim SOC 2 compliance without your own audit
  * All security risks are eliminated (no certification guarantees 100% security)
  * Automatic compliance with all regulations (SOC 2 is one component of compliance)
</Warning>

# SOC 2 for Your Procurement Process

SOC 2 Type II certification is often required for:

* **Enterprise Procurement**: Many organizations require vendors to have SOC 2 Type II before contract approval
* **Security Questionnaires**: SOC 2 demonstrates compliance with common security questionnaire requirements
* **Risk Assessments**: Independent audit evidence for third-party risk management programs
* **Regulatory Compliance**: SOC 2 controls align with GDPR, HIPAA, and other regulatory frameworks
* **Insurance Requirements**: Cyber insurance policies often require service providers to maintain SOC 2

## Government and Public Sector

For Swedish government customers and EU public sector organizations, SOC 2 Type II:

* Provides independent validation from a recognized US auditing standard
* Demonstrates security maturity and operational excellence
* Complements EU-specific certifications like ISO 27001 and NIS2 alignment
* Supports procurement evaluation criteria for cloud and SaaS vendors

# Accessing Our SOC 2 Report

SOC 2 Type II reports contain confidential information about ABV's security controls and are shared under NDA.

**Customers on Pro and Enterprise plans** can request access to our SOC 2 Type II report.

## How to Request

1. **Email [security@abv.dev](mailto:security@abv.dev)** from your company email
2. **Include**:
   * Your organization name and ABV account details
   * Purpose of the request (procurement, vendor assessment, audit, etc.)
   * Who will review the report (security team, auditors, procurement, etc.)
3. **Sign NDA**: We'll provide a mutual NDA for SOC 2 report sharing
4. **Receive Report**: Once NDA is executed, we'll share the full SOC 2 Type II report

We typically respond within 1-2 business days.

<Info>
  Our SOC 2 Type II report is updated annually. Contact us for the most recent audit period covered by our current certification.
</Info>

# Complementary Certifications

SOC 2 Type II is one part of ABV's comprehensive compliance program:

* **ISO 27001**: International information security management standard [Learn more](/security/compliance/iso-27001-compliance)
* **ISO 42001**: AI management system certification [Learn more](/security/compliance/iso-42001-compliance)
* **Annual Penetration Testing**: Independent security assessments [Learn more](/security/security/penetration-testing)
* **GDPR Compliance**: Full data protection program for EU customers [Learn more](/security/privacy/gdpr-compliance)

Together, these certifications demonstrate ABV's commitment to security, privacy, and responsible AI management.

# Related Topics

<CardGroup cols={2}>
  <Card title="ISO 27001 (Security)" icon="certificate" href="/security/compliance/iso-27001-compliance">
    See our international security certification
  </Card>

  <Card title="Penetration Testing" icon="shield-virus" href="/security/security/penetration-testing">
    Learn about our security testing program
  </Card>

  <Card title="Encryption" icon="lock" href="/security/security/encryption">
    Explore our encryption standards
  </Card>

  <Card title="Security Overview" icon="shield" href="/security/overview">
    View our complete security program
  </Card>
</CardGroup>
