Back to Security
SOC 2 Type II Certified

SOC 2 Compliance

Operative maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, and confidentiality through independent third-party audits.

Current Certification

SOC 2 Type II - Unqualified Opinion

Audit Period:Nov 2024 - Oct 2025
Auditor:Deloitte

Security

No exceptions

The system is protected against unauthorized access, both physical and logical.

127 controls tested

Availability

No exceptions

The system is available for operation and use as committed or agreed.

34 controls tested

Confidentiality

No exceptions

Information designated as confidential is protected as committed or agreed.

45 controls tested

What SOC 2 Type II Means

SOC 2 (Service Organization Control 2) is a framework developed by the AICPA that specifies how organizations should manage customer data. It's the gold standard for SaaS security compliance.

Type II means an independent auditor tested our controls over an extended period (12 months) to verify they are not just designed well, but actually operating effectively day-to-day.

An unqualified opinion means the auditor found no material issues with our controls—the best possible outcome.

Why It Matters for You

Vendor Risk Assessment

Our SOC 2 report can satisfy most questions in your vendor security questionnaires, saving weeks of back-and-forth.

Regulatory Compliance

SOC 2 compliance helps demonstrate due diligence for regulations like GDPR, HIPAA, and industry-specific requirements.

Continuous Assurance

We maintain continuous compliance monitoring, not just point-in-time audits. Controls are tested and verified year-round.

Control Categories

Our SOC 2 audit tests controls across multiple categories. Here's an overview of what's covered:

Access Control

28 controls

User provisioning, MFA, least privilege, access reviews

Change Management

22 controls

Code review, testing, deployment controls, rollback procedures

Risk Assessment

18 controls

Annual risk assessment, threat modeling, vendor reviews

Incident Response

15 controls

Detection, response, communication, post-incident review

Data Protection

24 controls

Encryption, backup, retention, secure deletion

Network Security

20 controls

Firewalls, segmentation, monitoring, DDoS protection

Audit History

We've been continuously SOC 2 compliant since 2023. Here's our audit history:

SOC 2 Type II

November 2024 - October 2025

Auditor: Deloitte
Result: Unqualified opinion
SecurityAvailabilityConfidentiality

SOC 2 Type II

November 2023 - October 2024

Auditor: Deloitte
Result: Unqualified opinion
SecurityAvailability

SOC 2 Type I

May 2023 - October 2023

Auditor: Moss Adams
Result: Unqualified opinion
Security

Request Our SOC 2 Report

Our full SOC 2 Type II report is available to customers and prospects under NDA. The report includes detailed control descriptions, test procedures, and results.

Request SOC 2 ReportView all security info