Announcing SOC 2 Type II

Authr has completed its first SOC 2 Type II audit, covering the Security, Availability, and Confidentiality trust services criteria, with zero exceptions noted. The examination was performed by an independent audit firm over a six-month observation period ending in March. The report is available to customers and qualified prospects under NDA today.
Type II is the one that matters
A Type I report says your controls were designed sensibly on the day the auditor visited. A Type II report says the controls actually operated, continuously, over months, with evidence sampled from the messy middle of real operations: real access reviews, real incident response, real change management, real offboarding. It is the difference between a fire drill diagram and a log of every fire drill you actually ran. When we planned our compliance roadmap, we chose to skip straight to the standard with teeth, and to say so publicly, because our customers include banks and hospitals who read these reports line by line. They should.
What the observation period covered
- Access control: quarterly reviews of every human and service credential with production reach, with evidence of removals, not just approvals.
- Change management: every production change through the same reviewed, logged pipeline, including changes made during incidents.
- Incident response: our on-call, escalation, and postmortem practices, tested against the incidents that actually occurred during the window.
- Availability: the monitoring and capacity discipline behind our uptime commitments, now serving over 600 million authentications a month.
- Vendor management and personnel security across all four of our offices.
What the process cost us, and why that is the point
I want to be candid about the work, because announcements in this genre tend to imply the auditors showed up and admired what they found. The observation period surfaced friction we chose to fix rather than explain: we rebuilt our offboarding automation after finding a four-hour gap between HR termination and credential revocation that we considered too long, even though it was within our documented policy. We also consolidated three separate change approval paths into one, because a control that exists in three variants is three chances to drift. Zero exceptions was the outcome; those fixes were the value.
What happens next
Two commitments. First, this audit becomes annual, permanently; a point-in-time achievement that is allowed to decay is worse than none, because it converts diligence into decoration. Second, we will keep expanding scope: ISO 27001 certification work is already underway, and healthcare customers can sign HIPAA business associate agreements with us today. I will make the same closing point I make in every customer security review: a report proves the process operated, not that the product is secure. Judge us on both. Request the report through your account team, or book a demo and ask me the hard questions directly. I read every security questionnaire personally, and I intend to keep it that way for as long as that scales.
Writing from inside the identity layer since 2023. For the conversation this post starts, bring it to your next architecture review — or to ours.
