SOC 2 Type II
[ certified ]security · availability · confidentiality
[ what it actually means ]
SOC 2 Type II is an attestation, not a badge: an independent auditor examines whether our security, availability, and confidentiality controls actually operated over a months-long window — not whether they existed on the day the auditor visited. It is the closest thing the industry has to a record rather than a snapshot. What it does not mean: that we are unbreachable, or that every control is perfect. It means a third party checked that we do what we say we do, over time, and wrote down where we fell short.
[ our posture ]
Type II, not Type I
We hold a Type II report covering security, availability, and confidentiality. Type I would have been faster and cheaper — it audits design at a point in time. We waited for the operating-effectiveness audit because a snapshot is not a record.
Continuous control monitoring
The controls in scope — access reviews, change management, incident response, vendor review — are monitored continuously, not reassembled annually for the auditor. Audit season at Mynd Labs is an export, not a fire drill.
Exceptions are in the report, on purpose
Where a control deviated during the window, the deviation is in the report with our remediation. We do not negotiate findings down to keep the document clean; a clean report nobody believes is worth less than an honest one.
Annual renewal with the same scope or wider
The audit renews annually and scope only ratchets up — a trust criterion, once in scope, does not quietly disappear from next year's report.
[ request documentation ]
The current SOC 2 Type II report is available to customers and serious prospects under NDA.
More frameworks