Airplane is excited to announce that we've completed our System and Organization Controls (SOC) 2 Type II audit. We completed our SOC 2 Type I certification back in August of 2021.
At Airplane, security touches everything we do. Our customers rely on Airplane to run critical — and often sensitive — operations safely across their teams. That's why we launched with application-layer security and compliance features including: approval flows, audit logs, encryption, role-based access controls, self-hosted agents, SSH tunneling, SSO and two-factor authentication, and more.
Airplane follows best-in-industry security practices. Our security efforts are led by our Chief Technology Officer (CTO), Joshua Ma, who has 9 years of experience building enterprise-grade products with world-class security. Josh was formerly CTO of Benchling, a life sciences SaaS company, and is currently Cofounder and CTO at Airplane.
You can find our full security policy here.
What is a SOC 2 Type II audit?
The SOC 2 audit is recognized industry-wide as one of the highest standards of information security compliance in the world. The System and Organization Controls are defined by the American Institute of Certified Public Accountants (AICPA). Third-party auditors can use these criteria to validate information security at companies like Airplane.
While SOC 2 Type I assesses the design of security processes at a specific point in time, SOC 2 Type II assess how effective a system's controls are over time but observing operations for over a long period of time (typically 6-12 months).
The SOC 2 Type II audit follows the standard SOC 2 examination process and entails the following stages:
- Scoping procedures: Determine applicable trust principles with the help of a certified CPA.
- Gap analysis or readiness assessment: The auditor will pinpoint gaps in your security practices and controls. Moreover, the CPA firm will create a remedial plan and help you actualize it.
- Attestation engagement: The auditor will set the list of deliverables as per the AICPA attestation standards. They will then perform the examination to determine the suitability of design controls and operating effectiveness of systems relevant to the applicable trust service principles over the specified period.
- Report writing and delivery: The auditor will deliver the report covering all the areas described above.
SOC 2 Type II at Airplane
For our Type II audit, we worked with a third-party auditor who conducted a thorough review of our internal security controls. These include our policies, procedures, backup and disaster recovery, infrastructure regarding change management, logical access, security incident response, data security, and all other areas of our business. We partnered with Secureframe to ensure that we're following industry-standard security practices.
We built Airplane to help companies operate safely and securely. While we're proud to announce that Airplane is officially SOC 2 Type II compliant, Airplane is committed to continuing to put our customers' security first. This is apparent in both the strict security posture we maintain as well as in the features we design to enhance security and compliance for our users' internal operations.
If you need access to our SOC 2 report or would like to discuss security in more detail, please contact us at [email protected].