Customized Support is coming! Participate in the Ory Open Source Support Survey for Self-Hosted Users

Ory Network has completed its SOC 2 Type 2 certification. But what does that mean for us as an organization and for you as our customer?

At Ory, keeping customer and stakeholder data secure is our top priority. To ensure that our systems and controls have been designed appropriately to achieve that goal, we sought out third-party attestation from a qualified auditing firm. Our SOC 2 Type 2 report is the result of their examination.

In this blog post, we'll explain what a SOC 2 Type report is, what it covers, and why we chose to undergo this rigorous compliance audit.

What is a SOC 2 Type 2 report?

Obtaining a System and Organization Controls (SOC) 2 Type 2 report is one way for a service organization to attest to the security of its digital environment.

Completing a SOC 2 Type 2 Attestation through an accredited third-party auditor does not result in any certification. Instead, the resulting CPA's report functions as a tool to help an organization communicate whether the internal controls they've put in place governing the security of customers', partners', and stakeholders' data are properly designed, implemented, and maintained.

"As the Co-Founder and CTO of Ory, I’m proud to announce our recent SOC 2 Type 2 certification. This certification reflects our unwavering commitment to safeguarding our clients’ data. SOC 2 Type 2 certification is not just a milestone; it’s a testament to our dedication to maintaining the highest standards of information data security. We understand the responsibility that comes with handling sensitive data, and this certification assures our clients that we take that responsibility seriously. Ory is more than just a technology provider; we’re a trusted partner, and this certification underscores that trust."
Aeneas Rekkas, CTO & Co-Founder

In simpler terms, a SOC 2 Type 2 report provides an avenue for current and potential stakeholders to assess risk by giving them a closer look at the policies and procedures put in place to ensure the organization's services are provided safely and reliably.

What does a SOC 2 Type 2 report cover?

Accredited CPA firms perform all SOC 2 Type 2 examinations under the standards defined by SSAE 18. An auditor tests the effectiveness of the internal controls outlined by the organization and then maps those controls to one or a combination of Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA).

In our case, those criteria include:

  • Security: The system is protected against unauthorized access (both physical and logical).

  • Availability: The system is available for operation and use as committed or agreed.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected as committed or agreed.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

SOC 2 Type 2 reports examine controls over a period of time, usually between three and 12 months, and include both a list of the controls tested as well as the auditor's test results. The reporting period for Ory's latest SOC 2 report spanned from 01.06.2023 to 31.08.2023.

Why did we undergo a SOC 2 examination?

Completing a SOC 2 examination marks a huge step forward in Ory's efforts to demonstrate our commitment to data security and ensure that we're prepared to face the challenges of the ever-changing cybersecurity landscape.

As Ory Network manages Identities and Access for our customers and our customers' customers, it means they trust us with their most sensible data. Therefore, we started with a SOC 2 audit since one of the main things covered is our handling of sensitive customer data.

It is also much easier to become - and remain- SOC 2 Type 2 compliant when implementing the appropriate practices and standards as early as possible.

Where can I learn more?

Our auditing partner, BARR Advisory, has provided a detailed breakdown on how to read a SOC 2 report, including where to find the most important and relevant information for your situation. Current and prospective customers interested in obtaining a copy of Ory's latest SOC 2 Type 2 report may contact our security team at [email protected].

Never miss an article - Subscribe to our newsletter!