[{"data":1,"prerenderedAt":485},["ShallowReactive",2],{"security-featured-en":3},[4,172,258],{"id":5,"title":6,"author":7,"body":8,"date":160,"description":161,"extension":162,"image":163,"meta":164,"navigation":165,"path":166,"seo":167,"stem":168,"tags":169,"__hash__":171},"blog\u002Fblog\u002Fen\u002Fsoc2.md","Entropia is now SOC 2 Type II certified","The Entropia team",{"type":9,"value":10,"toc":151},"minimark",[11,15,20,36,43,59,62,66,69,86,89,93,96,99,110,114,121,124,127,130,133,137,140,143],[12,13,14],"p",{},"Many providers will claim that your data is safe with them, but how do you know? At Entropia, we didn't want customers to take our word for it alone. That's why we went through months of independent, rigorous auditing to achieve SOC 2 Type II attestation.",[16,17,19],"h2",{"id":18},"what-is-soc-2-type-ii","What is SOC 2 Type II?",[12,21,22,26,27,31,32,35],{},[23,24,25],"strong",{},"\"SOC\""," stands for ",[28,29,30],"em",{},"System and Organisation Controls",". It is an audit framework designed by the ",[28,33,34],{},"American Institute of Certified Public Accountants"," (AICPA).",[12,37,38,39,42],{},"The ",[23,40,41],{},"\"2\""," distinguishes it from other SOC reports:",[44,45,46,53],"ul",{},[47,48,49,52],"li",{},[23,50,51],{},"Type I"," evaluates design of controls at a point in time.",[47,54,55,58],{},[23,56,57],{},"Type II"," evaluates their operating effectiveness over a period (typically 6–12 months).",[12,60,61],{},"For customers, that distinction is crucial. Type II requires months of continuous evidence, not just documents. It's a discipline, not a checkbox.",[16,63,65],{"id":64},"what-entropia-is-doing-to-maintain-soc-2-type-ii","What Entropia is doing to maintain SOC 2 Type II",[12,67,68],{},"Achieving SOC 2 Type II standards required implementing and documenting controls that span every part of our organisation:",[44,70,71,74,77,80,83],{},[47,72,73],{},"Formal access reviews and permission boundaries",[47,75,76],{},"Reproducible build processes",[47,78,79],{},"Operational logs, monitoring, and alerting",[47,81,82],{},"Incident response procedures",[47,84,85],{},"Vendor and subprocessor management",[12,87,88],{},"Security isn't a side project. It's in every code commit, every access request, every system change. And crucially, we have been independently audited over several months to prove that these controls are enforced in practice, not just documented in theory.",[16,90,92],{"id":91},"why-this-matters-to-our-customers","Why this matters to our customers",[12,94,95],{},"For customers, SOC 2 Type II provides third-party assurance. It shows that security at Entropia is not simply promised but independently verified. It is among the most widely recognised and demanding attestations available to software-as-a-service providers, requiring stringent controls that operate consistently over time.",[12,97,98],{},"This means your data is handled responsibly, systems are monitored, and risks are actively managed. At the same time, it reflects structured, disciplined engineering practices: formal access reviews, reproducible build processes, and operational logs that withstand scrutiny.",[12,100,101,102,105,106,109],{},"It didn't ",[28,103,104],{},"make"," us secure. It made us ",[28,107,108],{},"prove"," it.",[16,111,113],{"id":112},"what-about-iso-27001","What about ISO 27001?",[12,115,116,117,120],{},"We are not the only ones involved in protecting your data. When you use Entropia, your data is processed through our systems, but when it is stored ",[28,118,119],{},"at rest",", it lives on the infrastructure of a cloud provider.",[12,122,123],{},"Among our subprocessors, this cloud provider is the most important one: it physically hosts your data. That's why, when evaluating the security of any SaaS provider, it's essential to also consider the security standards of the cloud providers they rely on.",[12,125,126],{},"Our hosting partner, Scaleway, is certified under ISO\u002FIEC 27001 — the internationally recognised standard for information security management systems. This certification applies to Scaleway's infrastructure and demonstrates that their data centres and cloud environment are governed by strong security and risk management practices.",[12,128,129],{},"For Entropia's customers, this provides an additional layer of assurance: our SOC 2 Type II attestation validates the way we manage and operate our own controls over time, while Scaleway's ISO 27001 certification confirms that the underlying infrastructure on which our services run is also independently verified.",[12,131,132],{},"Together, these frameworks address different layers of security — from our operational processes to the physical and cloud environment that supports them.",[16,134,136],{"id":135},"our-floor-not-our-ceiling","Our floor, not our ceiling",[12,138,139],{},"SOC 2 Type II is one of the most widely recognised and rigorous security attestations for SaaS providers, and we are proud to meet it. But for us it is only the floor, not the ceiling.",[12,141,142],{},"We are adopting a Zero Trust security model on top: an approach in which no device, user, or request is trusted by default. Every action is authenticated, authorised, and monitored continuously. This model goes beyond the requirements of SOC 2 and strengthens resilience at the architectural level.",[12,144,145,146],{},"Read more: ",[147,148,150],"a",{"href":149},"\u002Fblog\u002Fzero-trust","Our zero-trust security model →",{"title":152,"searchDepth":153,"depth":153,"links":154},"",2,[155,156,157,158,159],{"id":18,"depth":153,"text":19},{"id":64,"depth":153,"text":65},{"id":91,"depth":153,"text":92},{"id":112,"depth":153,"text":113},{"id":135,"depth":153,"text":136},"2025-08-15","Entropia achieves SOC 2 Type II certification. What it means for the security of our dataroom.","md","\u002Fblog\u002Fsoc2-type-ii-header-photo-with-controls.png",{},true,"\u002Fblog\u002Fen\u002Fsoc2",{"title":6,"description":161},"blog\u002Fen\u002Fsoc2",[170],"security","eWPuDtZXrgUPhvXCoWry__HN6J6PQG3vGxx99Oc8J1o",{"id":173,"title":174,"author":175,"body":176,"date":248,"description":249,"extension":162,"image":250,"meta":251,"navigation":165,"path":252,"seo":253,"stem":254,"tags":255,"__hash__":257},"blog\u002Fblog\u002Fen\u002Fdata-sovereignty-what-european-customers-need-to-know.md","European sovereignty’s true test: ownership","Pierre-Louis",{"type":9,"value":177,"toc":246},[178,181,186,189,192,196,199,202,205,209,212,215,219,222,225,228,231,234,237,243],[12,179,180],{},"A Munich law firm uploads due diligence files to a Frankfurt data center. A Paris investment bank stores M&A documents on servers in Amsterdam. Both assume their data remains European. Yet both remain exposed to American surveillance laws.",[182,183,185],"h4",{"id":184},"the-geography-trap","The geography trap",[12,187,188],{},"The assumption that hosting data within EU borders shields it from foreign access has become one of corporate Europe's most dangerous misconceptions. Under the US CLOUD Act of 2018 and FISA Section 702, American authorities can compel US-owned companies to surrender data regardless of its physical location. The laws follow ownership, not geography. Microsoft acknowledged this reality in testimony before the French Senate earlier this year, unable to guarantee that customer data stored in European data centers would never be transferred to US authorities.",[12,190,191],{},"This jurisdictional tension has turned critical for the European M&A market, where document security determines deal outcomes. The continent processed 9,800 M&A transactions in 2023, a 12 percent increase over the prior year according to LSEG Data & Analytics. Each involved thousands of confidential documents cycling through virtual data rooms. A single compliance breach carries penalties reaching 20 million euros or 4 percent of global revenue under GDPR. More damaging still is the reputational cost when sensitive transaction details surface through foreign surveillance channels.",[182,193,195],{"id":194},"sovereignty-washing","Sovereignty washing",[12,197,198],{},"The technical response from American hyperscalers has been predictable. Microsoft, Amazon, and Google now market \"sovereign cloud\" solutions featuring European data centers and local partnerships. Critics call this \"sovereignty washing.\" As Cristina Caffarra, a Brussels-based competition economist, explained to The Register: \"A company subject to the extraterritorial laws of the United States cannot be considered sovereign for Europe. That simply doesn't work.\" The parent company's American domicile ensures continued CLOUD Act jurisdiction, regardless of subsidiary structures or contractual promises.",[12,200,201],{},"Genuine sovereignty requires European ownership, not merely European hosting. French cloud provider Scaleway operates under this principle, with data centers in Paris, Amsterdam, and Warsaw controlled entirely by French parent company Iliad Group. No American parent company means no CLOUD Act exposure. The distinction matters operationally.",[12,203,204],{},"When Entropia, a virtual data room provider built by former Google engineers, evaluated infrastructure partners for its M&A platform, ownership structure determined the shortlist. The company's MCP server integration allows clients to access AI platforms like Claude and ChatGPT while maintaining document access controls, but the underlying infrastructure must remain immune to non-EU legal frameworks. Partnering with Scaleway solved the jurisdictional problem without compromising technical capabilities.",[182,206,208],{"id":207},"the-market-responds","The market responds",[12,210,211],{},"The shift is measurable. Germany's Schleswig-Holstein completed migration of 24,000 civil servants from Microsoft products to open-source alternatives in 2024. The International Criminal Court switched to European collaboration tools after chief prosecutor Karim Khan was temporarily locked from his Outlook account. France TV, GENCI, and the French National Center for Scientific Research signed partnerships with Scaleway rather than hyperscalers for infrastructure requiring full sovereign control. Corporate legal departments report similar patterns, with 67 percent experiencing deal delays due to cross-border compliance verification, according to the European Confederation of Directors' Associations.",[12,213,214],{},"The FISA Section 702 renewal in April 2024 sharpened these concerns. The law now covers \"any business with internet-linked infrastructure,\" expanding surveillance reach beyond traditional communications providers to encompass cloud services and data centers. The expansion came despite European Data Protection Board warnings that existing US surveillance laws already fell short of GDPR adequacy standards. Privacy advocates expect the EU-US Data Privacy Framework, which replaced the invalidated Privacy Shield agreement, to face judicial challenge within two years.",[182,216,218],{"id":217},"practical-implications-for-ma","Practical implications for M&A",[12,220,221],{},"For M&A practitioners, the implications are straightforward. Due diligence materials, financial projections, and transaction structures constitute precisely the sensitive commercial information that foreign intelligence agencies target for economic advantage.",[12,223,224],{},"The theoretical risk of CLOUD Act access during a transaction may be small, but the consequences of exposure are catastrophic. European alternatives eliminate the possibility entirely by removing the jurisdictional vulnerability at its source.",[12,226,227],{},"This does not mean European companies must abandon all American cloud services. Hybrid strategies work for many organizations, using global platforms for general computing while routing sensitive transactions through sovereign infrastructure. The key is understanding which workloads demand jurisdictional control. M&A documents, intellectual property repositories, and regulated financial data belong in infrastructure that answers exclusively to European law. Generic collaboration tools and development environments can tolerate broader exposure.",[12,229,230],{},"The virtual data room market reflects this calculus. European VDR revenue reached 860 million dollars in 2024 and is projected to quadruple by 2033, driven by regulatory compliance and cross-border transaction complexity. Providers emphasizing European ownership and ISO 27001 certification capture premium pricing from clients prioritizing sovereignty over convenience. The market dynamic suggests that compliance-conscious organizations increasingly view ownership as a security feature rather than a procurement detail.",[12,232,233],{},"Perhaps inevitably, the American hyperscalers will continue marketing sovereignty solutions. Their scale, innovation velocity, and ecosystem integrations remain formidable competitive advantages. Yet as long as CLOUD Act jurisdiction follows corporate parentage, these offerings cannot deliver true legal independence. The technical capabilities may be identical, but the legal architecture fundamentally differs. For European organizations handling sensitive M&A transactions, that distinction determines where the data lives.",[235,236],"hr",{},[238,239,240],"blockquote",{},[12,241,242],{},"CLOUD, in CLOUD Act, is capitalized because it means: \"Clarifying Lawful Overseas Use of Data\" Act.",[12,244,245],{},"Image credit: Scaleway",{"title":152,"searchDepth":153,"depth":153,"links":247},[],"2025-12-26","Extraterritorial laws override server location. True sovereignty requires European ownership, not only hosting.","\u002Fblog\u002Fscreenshot-2025-12-26-at-15.46.48.png",{},"\u002Fblog\u002Fen\u002Fdata-sovereignty-what-european-customers-need-to-know",{"title":174,"description":249},"blog\u002Fen\u002Fdata-sovereignty-what-european-customers-need-to-know",[256,170],"sovereignty","oyAdfxu75ASpOLUYbqzlDaO4TEy2iKaosFC--SbsW3A",{"id":259,"title":260,"author":175,"body":261,"date":476,"description":477,"extension":162,"image":478,"meta":479,"navigation":165,"path":480,"seo":481,"stem":482,"tags":483,"__hash__":484},"blog\u002Fblog\u002Fen\u002Fzero-trust.md","Our Zero Trust security architecture",{"type":9,"value":262,"toc":467},[263,266,269,272,275,279,282,285,288,291,302,305,309,314,317,320,329,335,338,342,345,451,454,458,461,464],[12,264,265],{},"Would you leave your front door unlocked simply because your neighbourhood has a low crime rate?",[12,267,268],{},"Many companies, even by meeting compliance standards, implicitly do just that.",[12,270,271],{},"Entropia has validated the SOC2 Type II level controls, which corresponds to proving that the neighbourhood is under constant surveillance and demonstrably safe.",[12,273,274],{},"But we have chosen to go further and raise the bar with a Zero Trust model.",[16,276,278],{"id":277},"what-zero-trust-means","What Zero Trust means",[12,280,281],{},"For decades, corporate networks were built like castles, or fortresses: high walls, a deep moat, and the assumption that anyone allowed inside was trustworthy.",[12,283,284],{},"Unfortunately, modern attackers might still steal a key or tunnel under the moat. If they ever manage to get inside, they can wander freely.",[12,286,287],{},"Zero Trust rejects the castle. Instead, it assumes that no user, device, or network packet is trustworthy by default. Each request to access resources, whether from an employee, contractor, or application, is treated as if it comes from an untrusted network until it has been inspected, authenticated, and verified. Access is granted only for the minimum necessary purpose and only for as long as needed.",[12,289,290],{},"This model is implemented by leading companies such as Google where our CTO, Pierre, spent six years as a Solutions Engineer, gaining firsthand experience of how it works in practice. Google frames the model around three core principles:",[44,292,293,296,299],{},[47,294,295],{},"Assume all network traffic is a potential threat at all times. Every user, device, and flow is subject to ongoing authentication, authorisation, and validation, with any request lacking explicit permission automatically denied.",[47,297,298],{},"Enforce least-privileged access. Each entity is granted only the minimum rights needed to complete a task, limiting the ability of attackers to move laterally if compromise occurs.",[47,300,301],{},"Always monitor. Continuous oversight analyses and manages activity in real time, identifying potential threats, incidents, and anomalies to investigate.",[12,303,304],{},"These principles, first articulated by Forrester and formalised by the U.S. National Institute of Standards and Technology (NIST), form the foundation of our own approach.",[16,306,308],{"id":307},"how-zero-trust-raises-the-bar-above-soc-2","How Zero Trust raises the bar above SOC 2",[310,311,313],"h3",{"id":312},"what-is-soc-2","What is SOC 2",[12,315,316],{},"Customers increasingly demand evidence that their providers handle data responsibly. SOC2, created by the American Institute of CPAs, has become one of the most widely recognised audit frameworks.",[12,318,319],{},"The standard evaluates an organisation's controls across five \"Trust Services Criteria\": security, availability, processing integrity, confidentiality, and privacy.",[12,321,322,323,325,326,328],{},"A ",[23,324,51],{}," report describes how controls are designed at a single point in time.\nA ",[23,327,57],{}," report, which we have achieved, goes further: it validates that those controls operate effectively over months, not merely on paper.",[12,330,331],{},[147,332,334],{"href":333},"\u002Fblog\u002Fsoc2","> Read more about our SOC2 Type II certification",[12,336,337],{},"But as robust as it is, SOC 2 is still a framework of proof, not an architecture of defence. It tells customers that the right doors are locked and checked regularly. It does not redesign the building itself.\nThat is why we describe SOC 2 Type II as our floor, not our ceiling.",[310,339,341],{"id":340},"where-zero-trust-goes-further","Where Zero Trust goes further",[12,343,344],{},"Zero Trust pushes security beyond compliance checklists into systemic resilience. To illustrate the contrast in concrete terms, here are a few key examples where Zero Trust provides stronger protection than SOC 2 expectations. The list is not exhaustive, but it highlights the most important areas where the difference is most tangible.",[44,346,347,360,373,386,399,412,425,438],{},[47,348,349,352],{},[23,350,351],{},"Stolen credentials cannot enable long-term access",[44,353,354,357],{},[47,355,356],{},"SOC2: Restrict access to authorised users (often with MFA and roles)",[47,358,359],{},"Zero Trust: Continuous verification of user identity, device health, and behaviour at every request (that is, every attempt by a user, device, or application to access a resource)",[47,361,362,365],{},[23,363,364],{},"Containing breaches, not only detecting them",[44,366,367,370],{},[47,368,369],{},"SOC2: Monitor systems for anomalies and respond to incidents",[47,371,372],{},"Zero Trust: Real-time enforcement that blocks risky actions before they escalate",[47,374,375,378],{},[23,376,377],{},"Stopping data exfiltration at the source",[44,379,380,383],{},[47,381,382],{},"SOC2: Encrypt data in storage and transit",[47,384,385],{},"Zero Trust: Add context-aware rules (e.g., downloads blocked from non-compliant devices)",[47,387,388,391],{},[23,389,390],{},"Eliminating lingering third-party access",[44,392,393,396],{},[47,394,395],{},"SOC2: Assess vendor risk and restrict external access",[47,397,398],{},"Zero Trust: Just-in-time, least-privilege access for third parties",[47,400,401,404],{},[23,402,403],{},"Limiting the blast radius of incidents",[44,405,406,409],{},[47,407,408],{},"SOC2: Demonstrate risk assessments and mitigations",[47,410,411],{},"Zero Trust: Architect systems to minimise blast radius by design",[47,413,414,417],{},[23,415,416],{},"Maintaining service resilience",[44,418,419,422],{},[47,420,421],{},"SOC2: Ensure system availability with continuity plans",[47,423,424],{},"Zero Trust: Design resilient architectures that isolate failures and keep services running",[47,426,427,430],{},[23,428,429],{},"Protecting confidentiality dynamically",[44,431,432,435],{},[47,433,434],{},"SOC2: Document confidentiality and privacy policies",[47,436,437],{},"Zero Trust: Enforce context-aware restrictions and encryption by design",[47,439,440,443],{},[23,441,442],{},"Reducing insider risk",[44,444,445,448],{},[47,446,447],{},"SOC2: Apply HR and access review policies",[47,449,450],{},"Zero Trust: Limit insider risk with least-privilege and continuous monitoring",[12,452,453],{},"And there is more to it: these examples illustrate some of the obvious contrasts, but Zero Trust also changes the way systems are conceived and built, embedding security into the architecture itself rather than treating it as a compliance exercise.",[16,455,457],{"id":456},"why-should-our-customers-care","Why should our customers care?",[12,459,460],{},"For dataroom customers, the implications are crucial. SOC2 compliance means your data is handled responsibly, Zero Trust means it is defended relentlessly. Breaches that would spill across a legacy dataroom provider's environment stop cold within ours.",[12,462,463],{},"Building on Zero Trust is more demanding for application developers, because security must be engineered directly into the architecture rather than bolted on later. Zero Trust requires grappling with identity-driven policies (deciding who can access which resources and under what conditions), network segmentation (designing the system so that even if one part is compromised, attackers cannot easily move to another), and continuous telemetry (collecting and analysing data about activity in real time to detect and prevent anomalies).",[12,465,466],{},"Together, the two frameworks signal Entropia's ambition to raise the bar for dataroom customers: SOC2 Type II proves we meet one of the toughest industry standards, while Zero Trust shows we aim beyond yesterday's definitions of secure.",{"title":152,"searchDepth":153,"depth":153,"links":468},[469,470,475],{"id":277,"depth":153,"text":278},{"id":307,"depth":153,"text":308,"children":471},[472,474],{"id":312,"depth":473,"text":313},3,{"id":340,"depth":473,"text":341},{"id":456,"depth":153,"text":457},"2025-07-28","Zero Trust explained: learn how Entropia elevates data room security beyond compliance frameworks.","\u002Fblog\u002Fzero-trust-header-picture.png",{},"\u002Fblog\u002Fen\u002Fzero-trust",{"title":260,"description":477},"blog\u002Fen\u002Fzero-trust",[170],"QOeL6-Q6pbo7EuDBT_H0OO07kgui3rhmQKniPgVnI2Q",1779730898675]