Docmosis Commits to Achieving SOC 2 Compliance

3 September 2025

Docmosis is actively working towards SOC 2 compliance to formalize, improve and provide evidence of the security of the Cloud document generation service.

What is SOC 2

SOC 2 is an assurance framework widely used by SaaS providers to demonstrate effective controls for security, availability, processing integrity, confidentiality and privacy. An independent auditor conducts an examination and issues an attestation reports.
These reports come in two forms :

  • SOC 2 Type 1
  • SOC 2 Type 2

A Type 1 audit reviews the system, maps controls to the Trust Services Criteria, and tests policies, configurations and records to confirm design. The report outlines the system and controls in scope and gives an independent opinion on design at the audit date. A Type 2 audit assesses operating effectiveness of these controls over a defined period.

Why SOC 2 matters for Docmosis

The Docmosis Cloud often processes sensitive data to generate documents that may contain confidential information. Many customers depend on these documents to run core operations, which makes reliability and security essential.
Security isn’t new to Docmosis Cloud. From the beginning, the service has been designed and operated to align with, and exceed, industry best practice. Some key Docmosis Cloud security features are:

  • All communication with the service must use HTTPS.
  • All uploaded artefacts (eg: templates, images) are stored encrypted at rest.
  • Any data sent to the API and the generated documents are retained only during processing and are then automatically and immediately deleted.

By aligning our practices with the SOC 2 Trust Services Criteria, we bring structure and independent verification to the security measures already in place. We expect this certification will simplify answering vendor risk reviews and reduce the need for separate security questionnaires.

What this means for customers

The SOC 2 work will run in parallel with normal operations, so there will be no change to how the Cloud service is used and no downtime.
The resulting independent attestation will give customers additional assurance that Docmosis’ security controls meet stringent industry standards, making it easier for development teams and procurement teams to consider and onboard Docmosis,

Next steps

Docmosis will start the SOC 2 Type 1 audit this month. After completion of the Type 1 report, effort will focus on maintaining and improving the control environment while preparing for a Type 2 assessment. When SOC 2 reports become available they will be updated to a Docmosis trust portal.