Announcing SOC 2 Type 1 Compliance

Update: Since this post was published, Socket is now SOC 2 Type 2 compliant. Read the announcement to learn more.

Socket is proud to announce that we’ve received a clean SOC 2 Type 1 attestation report. This rigorous, independent assessment of our internal security controls serves as validation of our dedication and adherence to the highest standards for security and confidentiality.

This is an important milestone but is in no way an end to our commitment to our customers and the security of their data. Socket sees security as the foundation upon which our products are built and upon which trust with our customers is earned and maintained.

What is a SOC 2 audit?#

Developed by the AICPA, SOC 2 is an extensive auditing procedure that ensures that a company is handling customer data securely and in a manner that protects the organization as well as the privacy of its customers. SOC 2 is designed for service providers storing customer data in the cloud.

Socket uses an automated platform to continuously monitor our internal security controls against the highest possible standards. We have real-time visibility across our organization to ensure the end-to-end security and compliance posture of our systems.

Why does SOC 2 compliance matter?#

Socket helps tens of thousands of developers to ship faster and spend less time on security busywork by helping them safely find, audit, and manage open source software at scale. In order to achieve our mission, every party involved has to have an underlying trust in the security underpinning our platform.

As more enterprises look to process sensitive and confidential business data with cloud-based services like Socket, it’s critical that they do so in a way that ensures their data will remain safe. Our customers carry this responsibility on their shoulders every single day, and it’s important that the vendors they select to process their data in the cloud approach that responsibility in the same way.

By implementing the SOC 2 requirements, Socket demonstrates its commitment to meeting the most rigorous security and confidentiality standards in the industry. It verifies that Socket's security controls meet the AICPA Trust Services Principles and Criteria and that the best practices are built into our way of working, throughout every team – from the technical team to people operations.

How does Socket put security first?#

Security is not just a feature. It’s our mission.

Every design decision in Socket begins with the safety and privacy of your data in mind. We can't read your source code, and no one else can either. Privacy isn’t an optional mode — it’s just the way that Socket works.

We never upload your source code. Socket is designed to work without the need to analyze, upload, or share your source code.

We never modify your source code. Socket will never modify a customer’s source code or deployment environment. We do not request these permissions, nor do we ever use them. In the event our service is compromised, your source code and deployment environment will be safe from modification.

Depend on Socket to stay safe#

We welcome all customers and prospects who are interested in using Socket's open source security platform, discussing our commitment to security, or reviewing our SOC compliance reports to contact us.

We hope this update helps you and your IT team rest easy knowing that your data in Socket is secure.

Update: Since this post was published, Socket is now SOC 2 Type 2 compliant. Read the announcement to learn more.