SOC 2 Compliance

Last Updated: February 21, 2026•Version: 2.0

Pursuing Certification

SOC 2 Type II — In Progress

We have implemented SOC 2 controls across our platform and infrastructure. A formal Type II audit is planned as part of our compliance roadmap.

SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of CPAs (AICPA) that evaluates an organization's information systems against five Trust Services Criteria. Ledger Link is committed to meeting these standards and is actively working toward formal certification.

Our Compliance Journey

Controls Implemented

We have implemented security, availability, and confidentiality controls across our application and infrastructure, including encryption at rest (AES-256), encryption in transit (TLS 1.3), role-based access control, audit logging, and automated backups.

Infrastructure Certified

Our cloud providers — AWS (via Supabase), Vercel, and Cloudflare — maintain their own SOC 2 Type II certifications. Your data is hosted on infrastructure that has passed independent audits.

Formal Audit Planned

We are preparing for a formal SOC 2 Type II audit to independently verify our controls. This is a priority on our compliance roadmap and is tracked on our public roadmap.

Trust Services Criteria

SOC 2 evaluates organizations against five Trust Services Criteria. Here is how Ledger Link addresses each:

1. Security

Protection against unauthorized access and system abuse:

Multi-factor authentication with TOTP, email, and SMS options
Role-based access controls with row-level security (RLS) in PostgreSQL
AES-256 encryption at rest and TLS 1.3 encryption in transit
Web Application Firewall (WAF) and DDoS protection via Cloudflare
Intrusion detection and automated threat monitoring

2. Availability

System uptime and accessibility commitments:

99.9% uptime SLA with real-time status monitoring
Multi-region redundancy with automated failover
Daily automated backups with 90-day retention
Disaster recovery procedures with documented RTO/RPO

3. Processing Integrity

Accurate and timely data processing:

Input validation controls at API and database layers
Comprehensive audit trail for all data modifications
Database integrity constraints and foreign key enforcement
Change management process with code review and CI/CD

4. Confidentiality

Protection of sensitive information:

Organization-level data isolation with row-level security
Access logging and monitoring for all sensitive operations
Secure data disposal with 30-day post-cancellation deletion
Vendor security assessments for all subprocessors

5. Privacy

Personal information protection:

GDPR and CCPA compliance with documented data processing agreements
Privacy by design — minimal data collection, purpose limitation
Data subject rights support (access, rectification, erasure, portability)
Published subprocessor list with 30-day change notification

Request Compliance Documentation

Once our SOC 2 Type II audit is complete, the report will be available upon request under NDA. In the meantime, we can provide:

Security questionnaire responses
Architecture and data flow documentation
Subprocessor SOC 2 reports (from AWS, Vercel, Cloudflare)
Signed Data Processing Agreement (DPA)

Contact our security team at security@theledgerlink.com

For questions about our security practices or compliance status, contact security@theledgerlink.com.