Ionic Achieves SOC 2® Type 1 compliance

Ionic is proud to announce that we have completed our SOC 2 examination and are SOC 2 Type I compliant. This is the latest achievement in our ongoing commitment to industry-leading security for our users and customers. Receiving a compliant SOC 2 report means that Ionic is securely managing 3rd party data to protect information and ensure privacy for customers of Appflow, our mobile CI/CD solution.

What is SOC 2

System and Organization Controls (SOC) 2 is a standard established by the American Institute of Certified Public Accountants (AICPA) to test an organization’s controls for information security and privacy. It is the industry standard for companies and products that use the cloud to store data. In addition to validating strong processes to protect against data breaches and security incidents, SOC 2 is required by many enterprises evaluating vendors and tools like Ionic.

A SOC 2 Type I audit specifically tests the design of a compliance program and compliance at a point in time. This involves defining and documenting security controls and providing evidence that controls are functioning properly. A SOC 2 audit must be completed by a CPA firm.

By pursuing and achieving SOC 2 Type I compliance, Ionic is in line with top organizations in the industry and has demonstrated a commitment to security. Appflow customers can rest assured that we have completed a critical step in establishing and ensuring safety controls.

The Road to SOC 2

Our Partner

Choosing a vendor to complete the SOC 2 examination process is a critical decision. Ionic has partnered with Laika, a leading compliance platform that provides end-to-end support, so that we have a trusted partner every step of the way. Working with Laika, Ionic completed a thorough review of our systems, controls, policies, vendors, as well as testing and auditing to ensure compliance with the standards set forth by the AICPA.

Our Process

Completing the SOC 2 examination is a rigorous process that audits against five Trust Services criteria: 

• Security: The required, foundational criteria that tests if customer information is protected from unauthorized access at all times with systems to handle that information.
• Availability: Criteria dealing with the availability of our systems, including system performance, downtime, and security incident handling.
• Confidentiality: Criteria involving the handling and security of data deemed confidential.
• Privacy: Criteria addressing the secure collection, handling, and storage of personal information.
• Processing: Criteria addressing processing integrity, including error detection and resolution and data storage and maintenance.

A complete review of the entire architecture and data flow of Appflow’s systems was conducted. This includes how data is managed and stored, as well as any third-party vendors or services used. The review included documentation, testing, and any recommended revisions to ensure security.

Another aspect of completing the examination is the documentation of all policies related to security and privacy. This means defining dozens of policies across 15+ compliance categories, as well as providing evidence that these policies are enforced.

Ionic also submitted to an audit of its processes in relation to development, including access controls, change management, incidence response, observability factors like monitoring, error reporting, and alerts, and data retention and disposal procedures.

Ionic + Security

Appflow takes a number of steps to ensure the safety and security of our customer data. We document our protocols across various security areas on our Appflow Trust page. These include:

• Product security like source code protection and multi-factor authentication access control
• Data security like encryption and data backup best practices
• Network security like vulnerability scans and build isolation
• Application security like penetration testing and a 99.9% uptime
• Business security like policies, education, and incident response
• Physical security for in-person and remote locations and hardware

We know that your users trust you with their data, and in turn you trust us. 

Ionic’s focus on security also includes providing security solutions that ensure the safety of your mobile applications and data, including Auth Connect, Identify Vault, and Secure Storage.

What’s Next

SOC 2 Type II compliance, which requires an ongoing observation window of 6-12 months, is the next step. We will continue to make security a top priority and provide updates as we make progress toward Type II compliance. 

For more details, the SOC 2 Type I report is available by request. Contact your Customer Success Manager or security@ionic.io to request access.