When we completed our SOC 2 Type I attestation in November 2025, we said trust is earned continuously, not announced once. We also said we'd moved straight into Type II monitoring. That period is now complete.

We're pleased to share that Indeemo has achieved SOC 2 Type II attestation, independently audited by Sensiba, covering the period 26 November 2025 to 25 February 2026.

Key takeaways

Indeemo has completed SOC 2 Type II attestation, independently audited by Sensiba across the period 26 November 2025 – 25 February 2026.
The result was a clean, unqualified opinion with no exceptions noted — controls were consistently followed throughout the audit period, not just well designed on paper.
Type II proves controls work over time. Type I confirms they were designed correctly. That distinction matters when evaluating a platform to trust with participant data.
Continuous automated monitoring via Vanta and AWS security infrastructure underpinned the clean result — compliance runs in the background, not just at audit time.
The audit covered five control categories: Control Environment, Risk Assessment, Monitoring Activities, Logical Access, and System Operations.

A quick recap: Type I vs Type II

If you read our Type I post, you'll know how this works. But here's the short version.

Type I

Point in time

Confirms controls are designed correctly as of a specific date. An auditor reviews whether the right structures are in place.

Design only · Single date · Completed Nov 2025

Type II

Proven over time

Tests whether controls operated effectively over a defined period — with evidence collected throughout. Significantly harder to achieve.

Design + effectiveness · 3-month period · Completed Feb 2026

That distinction matters. Anyone can document a policy. Type II proves you followed it — consistently, over time, with evidence to back it up.

What Indeemo achieved

SOC 2 Type II — Audit summary

Audit period

26 Nov 2025 – 25 Feb 2026

Auditor

Sensiba

Criteria in scope

Security, Availability, Confidentiality

Systems in scope

SaaS platform, AWS infrastructure, security processes

Clean opinion

No exceptions noted — controls designed and operating effectively throughout the full audit period.

What the result means

A clean opinion with no exceptions is the best possible outcome from a Type II audit.

0

Exceptions noted across the full audit period. No control failures. Controls consistently followed throughout — independent confirmation of high operational maturity.

Exceptions noted across the full audit period. No control failures. Controls consistently followed — independent confirmation of high operational maturity.

This is qualitatively different from Type I. Type I validates intent. Type II validates execution. The five control categories assessed — Control Environment, Risk Assessment, Monitoring Activities, Logical Access, and System Operations — collectively determine whether a platform is genuinely secure and consistently managed, not just well-documented.

How we maintained compliance over the period

Continuous automated monitoring with Vanta

We use Vanta to automate evidence collection, control testing, and ongoing compliance checks. Rather than scrambling to gather proof at audit time, monitoring runs continuously in the background. That automation was one of the biggest practical wins in our Type I journey, and it paid off again here.

AWS security infrastructure

Our cloud environment is built on AWS, with encryption, identity management, and security monitoring embedded at the infrastructure level. This isn't bolt-on security — it's foundational.

A disciplined operational culture

Controls don't sustain themselves. The real work behind a clean Type II result is the day-to-day discipline across Engineering, Security, Operations, and beyond. SOC 2 compliance is never just an IT task.

How security works between Indeemo and our customers

SOC 2 operates on a shared responsibility model. Indeemo is responsible for the platform and underlying infrastructure — the controls, architecture, monitoring, and processes that protect the environment your data lives in. Customers manage access, credentials, and user offboarding within their own organisation.

Indeemo's responsibility

Platform and SaaS application security
AWS cloud infrastructure and architecture
Encryption and data governance
Access control and identity management
Incident response and monitoring
Business continuity and disaster recovery

Customer's responsibility

Enabling multi-factor authentication (MFA)
Managing passwords and credentials
Controlling who has access within your organisation
Offboarding users promptly when they leave

Understanding that split helps set realistic expectations and makes the overall security posture stronger on both sides.

What this means for customers

For customers and prospects evaluating Indeemo, this attestation answers a simple question: do Indeemo's security practices actually hold up — not just on a given day, but over time? The answer is independently verified: yes.

Whether you're a research agency handling participant data, an in-house team managing sensitive consumer insights, or a pharma or healthcare organisation with additional compliance requirements, you can point to our SOC 2 Type II report as third-party evidence of how we manage and protect your data. A copy is available on request via our Trust Centre at trust.indeemo.com.

What comes next

SOC 2 is a continuous commitment, not a one-time certification. We'll continue Type II monitoring on an ongoing basis, keeping our controls tested, evidence documented, and our posture improving as Indeemo grows.

Our controls are not just designed. They are proven to work over time.