Indeemo's SOC 2 attestation: what we learned, and what it means for customers

Why SOC 2 matters to us

Security isn't a milestone we check off once a year. It's part of how Indeemo is built and run every day. Our product and internal processes are designed to protect customer data, keep our platform reliable, and ensure we can scale trust as we grow.

With that foundation in place, we're happy to share that Indeemo has completed our SOC 2 Type I attestation. This is an externally validated confirmation that we have the right controls designed and in place across security, availability, and confidentiality.

What is SOC 2?

SOC 2 is an auditing framework created by the American Institute of Certified Public Accountants (AICPA). It evaluates how organisations manage customer data across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

SOC 2 reports come in two flavors:

• Type I assesses whether controls are designed appropriately at a specific point in time.
• Type II goes further by testing whether those controls operate effectively over a period (usually 3 to 12 months).

We completed SOC 2 Type I, and immediately transitioned into our Type II monitoring period. More on that below.

What did Indeemo achieve?

SOC 2 Type I attestation completed.

• As-of date: 25 November 2025
• Report issued: 26 November 2025
• Criteria in scope: Security, Availability, and Confidentiality

This means an independent auditor verified that the controls we've implemented to protect customer data and maintain system reliability were properly designed and aligned with SOC 2 requirements on that date.

What was in scope for the audit?

The assessment covered three big areas:

• The Indeemo SaaS platform
• Our AWS cloud infrastructure
• Major security and operational processes, including access control, change management, incident response, data governance, security monitoring, business continuity and disaster recovery, and risk management

In plain terms, the audit reviewed our platform, our cloud environment, and the core processes that protect customer data and keep Indeemo dependable.

What was the audit result?

We received a clean (unqualified) opinion with no material exceptions or findings.

That's independent confirmation that our controls were well-designed and fit for purpose as of the audit date, and a strong validation of the security and reliability work already embedded across Indeemo.

What security practices sit behind the attestation?

Without getting into the weeds, here are a few high-level practices that represent how we protect customer data and ensure resilience.

Modern cloud-native foundation on AWS

Indeemo runs on a secure, resilient cloud architecture that benefits from AWS's physical and infrastructure protections and best-in-class reliability features.

Continuous security monitoring and automation

We use automated tooling to continuously monitor controls, configurations, and policies. This includes Infrastructure-as-Code practices and cloud-native security services, with automation supporting evidence collection and control oversight.

Annual penetration testing and ongoing vulnerability assessments

External penetration tests plus continuous vulnerability assessment help us validate our posture and keep improving.

Secure development lifecycle

Our SDLC includes formal change control, peer review, testing, and required approvals before production releases. We also use static analysis (SAST) and software composition analysis (SCA) to catch risks early.

Resilience through verified backups and disaster recovery planning

We operate robust business continuity and DR procedures, including daily verified backups and regular recovery testing.

These are the kinds of controls SOC 2 is designed to evaluate, and now they've been independently validated.

How did Indeemo approach the SOC 2 journey?

SOC 2 is never just "an IT project." It's a company-wide exercise in discipline, clarity, and evidence. Here's how we approached it.

Readiness and gap assessment

We started by mapping where we stood versus SOC 2's requirements.

Strengthening and formalising controls

We enhanced policies, processes, and governance to align with SOC 2 expectations.

Automation and continuous monitoring

The most technically challenging and highest-impact phase was implementing automated compliance monitoring and evidence capture, reducing manual overhead dramatically.

Internal preparations

We integrated and updated pre-existing ISO 27001:2022 documentation, refreshed our vendor inventory and risk register, and validated processes end-to-end.

A remarkably streamlined audit process

Working closely with our audit partner meant the Type I assessment was largely completed in one go, with only minor clarifications needed.

Transition straight into Type II monitoring

With Type I complete, we moved directly into Type II monitoring, supported by continuous automated checks and oversight.

What challenges and surprises came up?

A few things stood out along the way.

• The sheer volume of evidence SOC 2 expects. Most controls aren't hard to implement. Proving they exist with verifiable evidence is the real work.
• Cross-team coordination is essential. SOC 2 touches Engineering, Security, HR, Customer Support, and Operations. Getting everyone aligned is part of the process.
• Crafting the formal system description matters a lot. The narrative of how your system works needs to be accurate, complete, and defensible.
• Automation was a bigger win than expected. Continuous monitoring and automated evidence capture removed a huge amount of manual work and made the process far more manageable.

What lessons would we pass on?

If we could pass a few practical lessons to other teams starting this journey:

• Start early. SOC 2 is bigger than you might think. Writing, aligning, and proving controls takes time.
• Automate your compliance where possible. Tools like Vanta dramatically reduce manual work and errors.
• Make it a company-wide project, not an IT-only task. SOC 2 touches Engineering, HR, Operations, Customer Support, and Leadership.
• Keep evidence organised from day one. SOC 2 isn't hard; gathering proof of everything is.
• Think beyond the certificate. SOC 2 genuinely improves discipline, reliability, and customer trust.

What does this mean for customers?

For customers and partners, this attestation is simple. Indeemo has independent, third-party validation that the systems and processes protecting your data are thoughtfully designed and aligned with a recognised security standard.

We know trust is earned continuously, not announced once. That's why we've already begun Type II monitoring, and we'll keep investing in security and reliability as Indeemo grows.