SOC 2
Workplace.io is working toward SOC 2. We are not currently SOC 2 attested or certified. This page explains our approach,
what we are implementing, and how customers can assess our security program during procurement.
Last updated: December 16, 2025
Status
We are actively working toward SOC 2 readiness and eventual independent attestation. Today, we provide security controls,
documentation, and due diligence support through this Trust Center and customer review processes. We do not claim SOC 2
compliance or certification at this time.
What “SOC 2” means
SOC 2 is an independent attestation report based on the Trust Services Criteria. A report is issued by a licensed CPA firm
after evaluating a service organization’s controls over a defined period. This page describes our roadmap and controls,
not a completed third-party report.
Trust Services Criteria focus
Our roadmap is organized around the Trust Services Criteria categories most relevant to Workplace.io. The scope of a future SOC 2
report will be defined as part of our audit process.
- Security: controls to protect against unauthorized access and misuse.
- Availability: controls to support reliable operation and resilience.
- Confidentiality: controls to protect sensitive customer data and secrets.
- Privacy: controls and policies for personal data handling and user rights (where applicable).
Current controls and practices
While we are not yet attested, we implement security controls and operational practices aligned with enterprise expectations.
The sections below summarize the areas most commonly reviewed during SOC 2 due diligence.
Access Controls
Workspace membership and role-based access control restrict administrative settings and sensitive actions.
Encryption
TLS protects data in transit and encryption at rest protects stored data. Message content is short-lived by design.
Logging & Monitoring
Operational monitoring and security-relevant logging support reliability and incident investigation.
Incident Response
Incident handling procedures support triage, containment, remediation, and customer communication.
Secure Development
Review, testing, dependency hygiene, and controlled releases reduce risk of vulnerabilities.
Subprocessors
Infrastructure and processing vendors are documented and managed through vendor risk practices.
SOC 2 roadmap
Our SOC 2 roadmap focuses on maturing documentation, strengthening operational controls, and preparing evidence suitable for an
independent audit. We prioritize control areas most relevant to the nature of Workplace.io, including secure integration handling,
access control, logging/monitoring, and incident response.
- Policies and procedures: documented security policies, incident response procedures, and vendor management practices.
- Evidence readiness: operational logging, access control records, and change management evidence.
- Vendor documentation: subprocessor inventory and supporting documentation for key vendors.
- Testing and review: targeted security testing and follow-up remediation tracking.
No overstatement
We will only claim SOC 2 attestation after an independent CPA firm issues a SOC 2 report covering a defined scope and period.
Customer due diligence support
We support customer security reviews. If your organization requires a security questionnaire, policy artifacts, or a tailored review,
contact us and we’ll coordinate what we can provide.
- Security questionnaire support (including CAIQ-aligned responses where requested).
- Trust Center documentation for common control topics.
- Subprocessor and architecture summaries.