Skip to main content

Phase Two Achieves SOC 2 Type II Compliance

· 3 min read
Phase Two
Phase Two
Hosted Keycloak and Keycloak Support

Phase Two is excited to share that we have successfully completed a SOC 2 Type II audit. This independently validates that our security and availability controls were not just designed well, but operated effectively over time.

Learn more and request report access at our Trust Center: trust.phasetwo.io.

What is SOC 2 Type II?

SOC 2 (System and Organization Controls 2) is an attestation standard for service organizations covering five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type II report evaluates the operating effectiveness of controls across an audit period, rather than at a single point in time (Type I).

Why this matters to customers

  • Operational assurance: Independent attestation that access control, change management, monitoring, incident response, and data protection controls worked throughout the evaluation period.
  • Faster vendor reviews: A current SOC 2 Type II report reduces back‑and‑forth during security assessments and procurement.
  • Lower risk, higher resilience: Tested controls help prevent incidents and improve recovery, supporting higher availability and reliability.
  • Transparent accountability: The auditor’s report provides objective evidence of our security posture and ongoing commitments.

How this validates Phase Two’s approach

Our platform and operations are engineered for secure‑by‑default deployments, repeatable releases and change control, continuous monitoring, and documented incident response. The SOC 2 Type II result demonstrates these controls function in production—not just on paper.

What’s covered in the report

While each report is tailored to the service and period, customers can expect details on:

  • In‑scope systems and boundaries
  • Control objectives and mapped Trust Services Criteria (with tests of operating effectiveness)
  • Auditor’s testing procedures and results
  • Complementary user entity controls (CUECs) relevant to your environment

Accessing the report

Phase Two makes the SOC 2 Type II report available to customers and qualified prospects under NDA via our Trust Center. If you need access for a vendor review, please submit a request at trust.phasetwo.io or email sales@phasetwo.io.

What’s next

Compliance is continuous. We’ll keep strengthening automation, observability, and control effectiveness, and maintain ongoing attestation to reflect our customers’ evolving needs and the changing threat landscape.

We are actively pursuing ISO 27001 certification to further demonstrate our commitment to information security management.

What this means for you

  • Stronger trust: Independent validation you can include in your own compliance artifacts.
  • Faster assessments: Streamlined security questionnaires and procurement cycles.
  • Operational confidence: Controls that demonstrably reduce operational risk and improve incident response.

Phase Two’s hosting product supports organizations across healthcare, CDN and security, retail, and more—delivering predictable, enterprise‑grade identity and access management.

Need the report or have questions? Contact sales@phasetwo.io or visit trust.phasetwo.io.