SOC 2 Type II: What It Means and Why It Matters

SOC 2 Type II certification is one of the most rigorous security audits a technology company can undergo. Here's what it means for Nano Wallet customers and why we pursued it.

What Is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates a company's information systems against five "Trust Service Criteria": security, availability, processing integrity, confidentiality, and privacy.

Unlike compliance frameworks that check a list of requirements at a single point in time, SOC 2 Type II examines whether controls are actually working over a sustained period — typically 6 to 12 months. An auditor reviews logs, interviews staff, tests controls, and verifies that security practices are consistently followed, not just documented.

Type I vs. Type II

SOC 2 Type I evaluates the design of controls at a specific point in time. It answers the question: "Are the right controls in place?" Type II goes further — it evaluates whether those controls operated effectively over the audit period. It answers: "Did the controls actually work, consistently, for the past year?"

Type II is significantly harder to achieve because it requires sustained operational discipline. A company can't cram for a Type II audit the way it might prepare for a Type I assessment. The auditor looks at months of evidence: access logs, incident response records, change management documentation, and employee training completion rates.

What Our SOC 2 Type II Covers

Our audit covers all five Trust Service Criteria:

**Security:** We demonstrate that our systems are protected against unauthorized access. This includes network security (firewalls, intrusion detection), application security (input validation, authentication), and physical security (data center access controls). Our auditor verified that we enforce multi-factor authentication for all employee access, rotate encryption keys quarterly, and maintain a vulnerability scanning program that runs weekly.

**Availability:** We demonstrate that our systems meet our stated uptime commitments. Over the audit period, our platform maintained 99.95% uptime, with the only downtime being a planned 23-minute maintenance window that was communicated to users 72 hours in advance.

**Processing Integrity:** We demonstrate that transactions are processed accurately and completely. The auditor verified our reconciliation processes, our idempotency controls, and our error handling procedures. They confirmed that every transaction in our system matches the corresponding record at our banking partners.

**Confidentiality:** We demonstrate that sensitive data is protected throughout its lifecycle. This includes encryption at rest (AES-256) and in transit (TLS 1.3), access controls based on the principle of least privilege, and data retention policies that automatically purge unnecessary data.

**Privacy:** We demonstrate that personal information is collected, used, and retained in accordance with our privacy policy and applicable regulations. The auditor reviewed our data collection practices, consent mechanisms, and data subject request procedures.

What This Means for Customers

For individual users, SOC 2 Type II means that an independent auditor has verified that Nano Wallet's security practices are real, not just marketing claims. Your data is encrypted, your transactions are processed accurately, and the company has demonstrated consistent security discipline over an extended period.

For business customers, SOC 2 Type II is often a procurement requirement. Many companies cannot use a financial service provider that lacks SOC 2 Type II certification. By maintaining this certification, we ensure that our business customers can pass their own audits and compliance reviews.

The Ongoing Commitment

SOC 2 Type II isn't a one-time achievement. We undergo a new audit every 12 months, and we maintain continuous monitoring between audits. Our security team reviews access logs daily, our vulnerability scanning runs weekly, and our incident response procedures are tested quarterly through tabletop exercises.

The audit report is available to customers and prospects under NDA. Contact our compliance team to request a copy.