SOC 2 TYPE II CERTIFIED

Independently Verified Security

Anyone can claim their software is secure. SOC 2 Type II certification means an independent CPA firm tested our controls over six months and confirmed they actually work. Not just designed well - operationally effective. That's the difference between saying and proving.

Why Type II Matters

Type I

Point-in-time assessment

Evaluates whether controls are designed appropriately at a specific moment. Think of it as a blueprint review - the auditor confirms you have the right policies and procedures documented.

Completed May 2023
Current

Type II

Operational effectiveness over time

Tests whether controls actually work over an extended period (6+ months). Auditors sample real transactions, review actual logs, and verify controls functioned consistently. This is proof, not promise.

Completed November 2025

What Was Evaluated

Our SOC 2 examination covered Security and Availability - the two criteria most critical for a platform handling sensitive financial data.

Security

Protection of system resources against unauthorized access. This encompasses everything from how we control who gets into the system to how we detect and respond to threats.

Controls Tested

  • Logical access controls and authentication
  • Network perimeter security
  • Encryption of data in transit and at rest
  • Security monitoring and alerting
  • Vulnerability management
  • Change management processes
  • Incident response procedures

Availability

System resources are available for operation and use as committed. Your owners expect the portal to work when they need it - we've proven our systems deliver on that expectation.

Controls Tested

  • Infrastructure monitoring and alerting
  • Backup and recovery procedures
  • Disaster recovery planning
  • Capacity management
  • Incident response and escalation
  • Business continuity planning

How the Audit Works

A SOC 2 Type II audit isn't a checkbox exercise. Here's what our auditors actually did over the examination period.

1

Documentation Review

Auditors examined our security policies, procedures, and system documentation to understand our control environment.

2

Control Walkthroughs

Our team demonstrated each control in action, explaining how it works and showing evidence of its operation.

3

Sample Testing

Auditors selected random samples from the 6-month period - access reviews, change tickets, incident logs - and verified each one.

4

Configuration Inspection

Technical systems were inspected directly: firewall rules, encryption settings, access logs, monitoring dashboards.

5

Personnel Interviews

Team members were interviewed to confirm security awareness and understanding of their responsibilities.

Unqualified Opinion Clean Audit

The Auditor's Conclusion

BARR Advisory, an independent CPA firm specializing in cybersecurity and compliance, conducted our examination. Their report concluded:

"The description of Firm App's Web Platform is fairly presented, the controls were suitably designed, and the controls operated effectively throughout the audit period to provide reasonable assurance that service commitments and system requirements were achieved."

In plain terms: our security controls work as described, and they worked consistently over six months of testing. No material exceptions were noted.

Systems Covered

The SOC 2 report covers the complete Firm App platform - every component your owners interact with.

Web Application

The main portal used by administrators and owners alike

iOS Application

Native iPhone and iPad apps for owner access

Android Application

Native Android app for owner access

Cloud Infrastructure

AWS hosting, databases, and supporting services

What This Means for You

Confidence in Our Security

Your owners' sensitive data - SSNs, bank accounts, payment information - is protected by controls that have been independently verified to work. This isn't a marketing claim. It's documented proof.

Simplified Vendor Assessment

If your organization needs to assess vendor security (and most do), our SOC 2 report provides the documentation you need. It answers the questions your compliance team would ask.

Compliance Support

Many regulatory frameworks recognize SOC 2 as evidence of appropriate security controls. Our report can support your own compliance obligations.

Request the Full Report

The complete SOC 2 Type II report is available to qualified parties under NDA. The report includes detailed control descriptions, testing procedures, and the auditor's findings.

Who Can Request

Current Firm App customers
Prospective customers evaluating Firm App
Partners and auditors

What's Included

  • Auditor's opinion letter
  • System description
  • Complete control descriptions
  • Testing procedures and results
  • Any exceptions noted (none material)

Contact Security Team

Request the SOC 2 report or ask questions about our security program.

[email protected]

Ongoing Verification

SOC 2 isn't a one-time achievement. We're committed to continuous verification of our security controls.

Annual Re-Certification

We undergo SOC 2 Type II examination annually, ensuring our controls remain effective as the platform evolves.

Continuous Monitoring

Between audits, we continuously monitor our security controls and address any issues immediately.

Control Improvement

Each audit cycle, we enhance our controls based on evolving threats and best practices.

Have Security Questions?

Our team is ready to discuss your security requirements and share our SOC 2 report.

Schedule a Demo Request SOC 2 Report