Indeemo’s SOC 2 Attestation: what we learned, and what it means for customers
Security isn’t a milestone we check off once a year. It’s part of how Indeemo is built and run every day. Our product and internal processes are designed to protect customer data, keep our platform reliable, and ensure we can scale trust as we grow.
With that foundation in place, we’re happy to share that Indeemo has completed our SOC 2 Type I attestation. This is an externally validated confirmation that we have the right controls designed and in place across security, availability, and confidentiality.
What is SOC 2?
SOC 2 is an auditing framework created by the American Institute of Certified Public Accountants (AICPA). It evaluates how organisations manage customer data across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
SOC 2 reports come in two flavors:
Type I assesses whether controls are designed appropriately at a specific point in time.
Type II goes further by testing whether those controls operate effectively over a period (usually 3 to 12 months).
We completed SOC 2 Type I, and immediately transitioned into our Type II monitoring period. More on that below.
What Indeemo achieved
SOC 2 Type I attestation completed
As-of date: 25 November 2025
Report issued: 26 November 2025
Criteria in scope: Security, Availability, and Confidentiality
This means an independent auditor verified that the controls we’ve implemented to protect customer data and maintain system reliability were properly designed and aligned with SOC 2 requirements on that date.
What was in scope for the audit
The assessment covered three big areas:
The Indeemo SaaS platform
Our AWS cloud infrastructure
Major security and operational processes, including:
Access control
Change management
Incident response
Data governance
Security monitoring
Business continuity and disaster recovery
Risk management
In plain terms, the audit reviewed our platform, our cloud environment, and the core processes that protect customer data and keep Indeemo dependable.
Audit result
We received a clean (unqualified) opinion with no material exceptions or findings.
That’s independent confirmation that our controls were well-designed and fit for purpose as of the audit date, and a strong validation of the security and reliability work already embedded across Indeemo.
Public security highlights
Without getting into the weeds, here are a few high-level practices that represent how we protect customer data and ensure resilience:
Modern cloud-native foundation on AWS
Indeemo runs on a secure, resilient cloud architecture that benefits from AWS’s physical and infrastructure protections and best-in-class reliability features.
Continuous security monitoring and automation
We use automated tooling to continuously monitor controls, configurations, and policies. This includes Infrastructure-as-Code practices and cloud-native security services, with automation supporting evidence collection and control oversight.
Annual penetration testing and ongoing vulnerability assessments
External penetration tests plus continuous vulnerability assessment help us validate our posture and keep improving.
Secure development lifecycle
Our SDLC includes formal change control, peer review, testing, and required approvals before production releases. We also use static analysis (SAST) and software composition analysis (SCA) to catch risks early.
Resilience through verified backups and disaster recovery planning
We operate robust business continuity and DR procedures, including daily verified backups and regular recovery testing.
These are the kinds of controls SOC 2 is designed to evaluate, and now they’ve been independently validated.
Our SOC 2 journey
SOC 2 is never just “an IT project.” It’s a company-wide exercise in discipline, clarity, and evidence.
Here’s how we approached it:
Readiness and gap assessment
We started by mapping where we stood versus SOC 2’s requirements.
Strengthening and formalising controls
We enhanced policies, processes, and governance to align with SOC 2 expectations.
Automation and continuous monitoring
The most technically challenging and highest-impact phase was implementing automated compliance monitoring and evidence capture, reducing manual overhead dramatically.
Internal preparations
We integrated and updated pre-existing ISO 27001:2022 documentation, refreshed our vendor inventory and risk register, and validated processes end-to-end.
A remarkably streamlined audit process
Working closely with our audit partner meant the Type I assessment was largely completed in one go, with only minor clarifications needed.
Transition straight into Type II monitoring
With Type I complete, we moved directly into Type II monitoring, supported by continuous automated checks and oversight.
Challenges and surprises
A few things stood out along the way:
The sheer volume of evidence SOC 2 expects
Most controls aren’t hard to implement. Proving they exist with verifiable evidence is the real work.
Cross-team coordination is essential
SOC 2 touches Engineering, Security, HR, Customer Support, and Operations. Getting everyone aligned is part of the process.
Crafting the formal system description matters a lot
The narrative of how your system works needs to be accurate, complete, and defensible.
Automation was a bigger win than expected
Continuous monitoring and automated evidence capture removed a huge amount of manual work and made the process far more manageable.
Lessons learned (for anyone else going through SOC 2)
If we could pass a few practical lessons to other teams starting this journey:
Start early (SOC 2 is bigger than you might think)
Writing, aligning, and proving controls takes time.
Automate your compliance where possible.
Tools like Vanta dramatically reduce manual work and errors.
Make it a company-wide project, not an IT-only task.
SOC 2 touches Engineering, HR, Operations, Customer Support, and Leadership.
Keep evidence organised from day one.
SOC 2 isn't hard, gathering proof of everything is.
Think beyond the certificate.
SOC 2 genuinely improves discipline, reliability, and customer trust.
What this means for customers
For customers and partners, this attestation is simple: Indeemo has independent, third-party validation that the systems and processes protecting your data are thoughtfully designed and aligned with a recognised security standard.
We know trust is earned continuously, not announced once. That’s why we’ve already begun Type II monitoring, and we’ll keep investing in security and reliability as Indeemo grows.