Entropia achieves SOC 2 Type II certification. What it means for the security of our dataroom.
Many providers will claim that your data is safe with them, but how do you know?
At Entropia, we didn’t want customers to take our word for it alone. That’s why we went through months of independent, rigorous auditing to achieve SOC 2 Type II attestation.
What is SOC 2 Type II ?
"SOC" stands for System and Organisation Controls. It is an audit framework designed by the American Institute of Certified Public Accountants (AICPA).
The "2" distinguishes it from other SOC reports:
- SOC1 focuses on financial reporting controls,
- SOC2 on operational security and trust,
- etc.
Despite its origins in accountancy, SOC2 has become one of the most widely recognised standards for technology companies that store or process sensitive customer data. The framework evaluates an organisation across five “Trust Services Criteria”:
- Security: protection against unauthorised access.
- Availability: systems must remain operational and resilient.
- Processing integrity: information must be processed accurately and reliably.
- Confidentiality: sensitive information must be restricted to those authorised to see it.
- Privacy: personal information must be collected and used appropriately.
And there are two levels of assurance:
- A Type I report shows that the right controls are designed at a given moment.
- A Type II report goes further: it checks that those controls are not only designed but also operated effectively over a sustained period, typically several months.
For customers, that distinction is crucial. Type II requires months of continuous evidence, not just documents. It’s a discipline, not a checkbox.
What Entropia is doing to maintain SOC 2 Type II
Achieving SOC2 Type II standards required implementing and documenting controls that span every part of our organisation:
- Infrastructure: cloud systems and networks must be hardened (configured securely to resist attacks), monitored (watched in real time for unusual behaviour), and resilient (able to recover quickly from failure). This demands constant tuning and investment.
- Application code: every software change is logged, reviewed, and tested before release. In practice, this means maintaining version control, peer code reviews, and automated test pipelines, disciplines that require rigour from developers and supporting processes to enforce consistency and accountability.
- Access management: only authorised individuals can reach specific systems, and their rights are reviewed regularly. This involves multi-factor authentication, role-based permissions, and periodic audits to prevent privilege creep.
- Human resources: employees undergo background checks, receive security training, and are offboarded with care. These measures ensure trust in the people who build and operate the systems, reducing insider risks.
- Incident response: monitoring systems detect anomalies, while response processes ensure swift containment and recovery. This means practising drills, running detection tools, and coordinating teams so that threats are not only spotted but neutralised quickly.
Security isn’t a side project. It’s in every code commit, every access request, every system change.
And crucially, we have been independently audited over several months to prove that these controls are enforced in practice, not just documented in theory.
Why this matters to our customers
For customers, SOC2 Type II provides third-party assurance. It shows that security at Entropia is not simply promised but independently verified. It is among the most widely recognised and demanding attestations available to software-as-a-service providers, requiring stringent controls that operate consistently over time.
This means your data is handled responsibly, systems are monitored, and risks are actively managed. At the same time, it reflects structured, disciplined engineering practices: formal access reviews, reproducible build processes, and operational logs that withstand scrutiny.
It didn’t make us secure. It made us prove it.
What about ISO 27001 ?
We are not the only ones involved in protecting your data. When you use Entropia, your data is processed through our systems, but when it is stored at rest, it lives on the infrastructure of a cloud provider.
Among our subprocessors, this cloud provider is the most important one: it physically hosts your data. That’s why, when evaluating the security of any SaaS provider, it’s essential to also consider the security standards of the cloud providers they rely on.
Our hosting partner, Scaleway, is certified under ISO/IEC 27001, the internationally recognised standard for information security management systems. This certification applies to Scaleway’s infrastructure and demonstrates that their data centres and cloud environment are governed by strong security and risk management practices.
For Entropia’s customers, this provides an additional layer of assurance: while our SOC2 Type II attestation validates the way we manage and operate our own controls over time, Scaleway’s ISO 27001 certification confirms that the underlying infrastructure on which our services run is also independently verified to follow best practices.
Together, these frameworks address different layers of security: from our operational processes to the physical and cloud environment that supports them.
Our floor, not our ceiling
SOC2 Type II is one of the most widely recognised and rigorous security attestations for SaaS providers, and we are proud to meet it. But for us it is only the floor, not the ceiling.
We are adopting a Zero Trust security model on top: an approach in which no device, user, or request is trusted by default. Every action is authenticated, authorised, and monitored continuously. This model goes beyond the requirements of SOC 2 and strengthens resilience at the architectural level.
💡 Read more: Our zero-trust security model →
Pierre-Louis
