Maintaining consistent and reliable operational controls helps us ensure we’re able to provide the same in service to our users. These controls are placed as top priorities in everything we do.

Last Spring, we began the process of conducting a SOC 2 audit to provide third-party confirmation of our practices in processes across all facets of our operation. This resulted in completing a SOC 2 Type I audit in Summer of 2020.

After a series of random checks confirmed that the controls we have in place are being utilized, we have now successfully completed our first SOC 2 Type II audit. This milestone is just one in an ongoing commitment to this process.

How Are SOC 2 Type I and SOC 2 Type II Different?

SOC 2 was developed by the American Institute of CPAs (AICPA), and defines criteria for managing customer data based on five “trust service principles” – security, availability, processing integrity, confidentiality and privacy.

These reports are unique to each organization. They align with our specific business practices, each designed to comply with one or more of those trust service principles.

While a SOC 2 Type I report establishes that an organization has operational controls in place, the Type II audit confirms these processes are being effectively implemented and adhered to.

In our original Summer 2020 report, we provided the auditors with a comprehensive view of our organization’s operations. This included detailing all aspects of our organization from hiring and job-performance monitoring to data security and risk assessment practices.

With the completion of our SOC Type II audit, these practices and procedures were validated over an eight-month period to ensure they were not only in place but in practice, with staff adhering to policies and documenting activities.

Our highest priorities are always guaranteeing the operational effectiveness of our organization and maintaining data security.

co-founder and CEO of Cognito Forms Jamie Thomas

“Our highest priorities are always guaranteeing the operational effectiveness of our organization and maintaining data security,” says Cognito Forms co-founder and CEO Jamie Thomas. “That is why SOC 2 audits matter, and why Cognito Forms has invested in this level of self-examination.”  

Our SOC 2 Type II audit reinforces other data security, regulatory compliance and operational effectiveness measures we already have in place. These include available HIPAA compliance, US Privacy Shield certification, CCPA compliance and GDPR compliance.

Additionally, we also host our platform on Microsoft Azure servers, and Microsoft ensures its own SOC 2 Type II compliance.

If you’d like to learn more about our SOC 2 audit or data security practices, see our frequently asked questions and data security information.


Haley N.

Haley N.

Haley, the Content Specialist for Cognito Forms, helps customers discover how they can use the product to elevate their business. She knows that when it comes to getting things done, Cognito Forms is the perfect tool. When not at work, you can find her hiking, listening to podcasts, or buying plants.