Frame 3

AnnounceKit is SOC 2 Type I compliant, meaning our systems and security controls have been independently audited and verified against the AICPA Trust Service Criteria. This certification demonstrates that we design and operate our infrastructure to protect your data against unauthorized access, availability failures, and processing errors. If you are evaluating AnnounceKit for your organization and need assurance about data security, this page explains exactly what our SOC 2 compliance covers and what it means for you.

Security has been of primary importance for AnnounceKit from day one. With our commitment to delivering high standards of security to our customers, we started a journey several months ago. After a hundred requirements, documents, practices, and tasks, we successfully demonstrated our commitment to protecting our customers.

We are really proud to announce that we passed the SOC 2 audit and are now officially SOC 2 Type I Compliant. Passing the audit means we operate our services pursuant to the SOC 2 standard, and serve in accordance with the principles of security, availability, processing integrity, and confidentiality.

This is not the end — we still have work ahead. Now it is time to complete the SOC 2 Type II audit, which will ensure that we are sustainable with our security standards and data protection over time.

What is SOC 2?

SOC 2 (System and Organization Controls) is a compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which attests that the related organization is designed and operated securely pursuant to Trust Service Principles and AICPA standards.

SOC 2 reports are issued for organizations that offer software services to other organizations. These reports provide assurance that the organization delivers the highest standards of security. Think of it as an independent third-party verification that a SaaS provider’s internal controls work as intended.

Many people still think a SOC 2 report is a certification. However, it is an attestation report — issued to show whether or not the AICPA agrees with the organization’s assertion of privacy and security of their service. It is an attestation, not a certification, which makes it more rigorous: auditors evaluate your actual controls, not just your documentation.

SOC 2 Type I vs. Type II: What Is the Difference?

This is the most common question security teams ask when evaluating a vendor’s SOC 2 compliance. There are two distinct levels, and understanding both helps you assess what stage of the audit process a company has completed.

SOC 2 Type I is a point-in-time audit. An independent auditor evaluates whether a company’s security controls are designed appropriately as of a specific date. It answers the question: “Do the right controls exist?” Type I is the starting point for any SOC 2 journey and demonstrates that a company has built a security-first infrastructure from the ground up.

SOC 2 Type II is an ongoing audit conducted over a period of 9 to 12 months. The auditor evaluates whether those controls are operating effectively over time — not just that they exist, but that they are consistently applied and maintained. Type II provides much stronger assurance for enterprise buyers because it proves sustained, repeatable security practices rather than a snapshot.

AnnounceKit’s current status: We have achieved SOC 2 Type I compliance. We are actively working toward Type II, which will demonstrate that our security posture is not just well-designed but consistently maintained across all operations.

Trust Service Principles

SOC 2 consists of 5 Trust Service Criteria and includes a number of controls related to each. These five criteria were defined by the AICPA and form the foundation of what auditors evaluate.

Security refers to both front-end and back-end controls to protect customer data against unauthorized access. AnnounceKit implements firewalls, intrusion detection systems, and multi-factor authentication (MFA) across all critical infrastructure access points. Access to production systems is restricted to a minimal set of authorized personnel, and all access events are logged and monitored.

Availability means that the system is available for operational activities and that customers can rely on it to meet their uptime objectives. AnnounceKit maintains performance monitoring, automated alerting, and a documented disaster recovery plan with defined recovery time objectives (RTO) and recovery point objectives (RPO).

Confidentiality means that sensitive data is protected using encryption, access controls, and firewalls to prevent unauthorized access or disclosure. All customer data at AnnounceKit is encrypted in transit (TLS 1.2+) and at rest (AES-256). Data access is governed by strict role-based access control policies.

Processing Integrity refers to the requirement that system processing should be valid, accurate, timely, complete, and authorized. AnnounceKit uses automated quality assurance checks and process monitoring to ensure data flows through our systems correctly and that any anomalies are detected and addressed promptly.

Privacy means that user data is gathered, used, retained, and disclosed in a trustworthy manner consistent with our published privacy policy. AnnounceKit’s data handling practices align with GDPR requirements, and we define clear data retention and deletion policies so that customer data is never held longer than necessary.

Why SOC 2 Compliance Matters for SaaS Buyers

SOC 2 compliance is increasingly a baseline requirement for enterprise software procurement. Security teams at mid-market and enterprise companies routinely send vendor security questionnaires, and SOC 2 reports are the most commonly accepted way to answer those questions efficiently — saving both sides weeks of back-and-forth.

For product teams evaluating tools for in-app announcements and product updates, vendor security is a critical procurement criterion. Every tool that handles customer-facing data — including user identifiers, session data, and behavioral signals — must meet your organization’s security bar. AnnounceKit’s SOC 2 Type I report gives your security team the documentation they need to approve the tool without a lengthy custom security review.

SOC 2 also signals a company’s security culture. Achieving compliance requires building policies, procedures, employee training programs, and technical controls that go far beyond what is visible in a product demo. Companies that invest in SOC 2 are demonstrating a long-term commitment to protecting customer data.

SOC 2 vs. ISO 27001 and GDPR

SOC 2 vs. ISO 27001: SOC 2 is an attestation report issued by a CPA firm under AICPA standards. ISO 27001 is an international standard that results in a formal certification issued by an accredited certification body. SOC 2 is predominantly recognized by US enterprise buyers; ISO 27001 is preferred by European and global enterprises. The two are complementary — companies pursuing both demonstrate the highest level of security maturity. AnnounceKit currently holds SOC 2 Type I and is GDPR compliant as a data processor.

SOC 2 vs. GDPR: GDPR is a data privacy regulation with legal obligations for how personal data is collected, processed, and stored. SOC 2 is a voluntary security framework that demonstrates the technical controls protecting that data. GDPR tells you what you must do with data; SOC 2 demonstrates how you protect it. AnnounceKit’s SOC 2 compliance supports our GDPR obligations by ensuring that the technical controls underlying our privacy commitments are independently verified.

Completing Our SOC Journey

It has been worth every moment of our hard work to demonstrate our commitment to delivering high standards of security to our customers. Badges are a showcase, but our commitment comes from the belief that our customers deserve software they can trust completely.

The SOC 2 audit process required us to document every process, harden every access point, and verify every control. Our journey involved conducting a gap analysis against the AICPA Trust Service Criteria, implementing and documenting security controls across infrastructure, access management, and incident response, engaging an independent CPA auditing firm, and completing a full Type I audit. We are now in the monitoring phase required before completing the Type II audit.

We will publish an update when we achieve SOC 2 Type II compliance. Follow our product update announcements to stay informed about our security roadmap.

What SOC 2 Means for AnnounceKit Customers

If you are a current AnnounceKit customer, our SOC 2 Type I compliance means your data is protected by independently verified controls. You can request our SOC 2 report for your security team’s review by contacting us at security@announcekit.app. We provide this report under NDA to qualified prospects and current customers.

For enterprise teams completing vendor security questionnaires, our SOC 2 report covers the majority of standard questions about access controls, encryption, availability, incident response, and data handling. This typically eliminates the need for a custom security review and accelerates procurement timelines significantly.

Frequently Asked Questions

Is AnnounceKit SOC 2 certified?

AnnounceKit has achieved SOC 2 Type I compliance, which is an attestation rather than a certification. An independent CPA firm audited our security controls and confirmed they are designed in accordance with the AICPA Trust Service Criteria. We are currently working toward SOC 2 Type II, which covers the operating effectiveness of those controls over a 9–12 month period.

What type of SOC 2 does AnnounceKit have?

AnnounceKit holds a SOC 2 Type I report. Type I is a point-in-time audit that evaluates whether security controls are appropriately designed. We are actively pursuing SOC 2 Type II, which evaluates whether those controls operate effectively over an extended period and provides stronger assurance for enterprise buyers.

Can I request AnnounceKit’s SOC 2 report?

Yes. You can request our SOC 2 report by emailing security@announcekit.app. We share the report under a mutual NDA with qualified prospects and current customers. The report covers our controls across security, availability, confidentiality, processing integrity, and privacy.

What data does the SOC 2 audit cover?

The SOC 2 audit covers all systems and processes involved in delivering the AnnounceKit service, including our cloud infrastructure, application layer, data storage, access management systems, and third-party integrations. All customer data processed through AnnounceKit — including user identifiers, session data, and announcement content — falls within the scope of the audit.

How does AnnounceKit compare to other SOC 2 compliant in-app notification tools?

AnnounceKit is one of the few in-app notification and product announcement platforms that has independently verified SOC 2 Type I compliance. For enterprise buyers evaluating changelog widgets, in-app announcements, and user notification tools, AnnounceKit provides the security documentation needed to pass internal vendor approval processes. If your security team requires SOC 2, GDPR compliance, and data processing agreements, AnnounceKit can provide all three. Contact us to receive our security documentation package.

Orhan Ümit Keskin

Similar Posts

AnnounceKit Integrates Grammarly Free of Charge
| |

AnnounceKit Integrates Grammarly Free of Charge

ByOrhan Ümit Keskin

We’re excited to announce a new feature for AnnounceKit – Grammarly integration, the spelling and grammar-checking tool. Starting today, you can use Grammarly to check all of your AnnounceKit posts for typos and grammar mistakes, free of charge. We know how important it is to have clear, accurate communication with your audience. That’s why we’re offering this integration to all of our plans. Whether you’re just getting started with AnnounceKit or you’re a longtime user, you can now make sure your posts are typo-free and look professional.