Documentation/Security & Compliance/SOC 2 Type II Certification

SOC 2 Type II Certification

Enterprise-grade security and compliance standards

TuskCPA is SOC 2 Type II certified, demonstrating our commitment to the highest standards of security, availability, and confidentiality. We undergo annual third-party audits to maintain compliance.

What is SOC 2?

SOC 2 (System and Organization Controls 2) is a rigorous auditing standard developed by the American Institute of CPAs (AICPA) for service providers storing customer data in the cloud. It evaluates our controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Type I vs Type II

SOC 2 Type I

Evaluates whether controls are suitably designed at a specific point in time. Think of it as a snapshot.

SOC 2 Type II (TuskCPA)

Evaluates whether controls operate effectively over a period of time (6-12 months). More rigorous and comprehensive.

Trust Service Criteria

Security

Our systems are protected against unauthorized access (physical and logical). We maintain:

  • • Multi-factor authentication (MFA) for all users
  • • Role-based access control (RBAC)
  • • 256-bit AES encryption for data at rest
  • • TLS 1.3 encryption for data in transit
  • • Regular penetration testing and vulnerability assessments
  • • 24/7 security monitoring and incident response

Availability

Our systems are available for operation and use as committed. We maintain:

  • • 99.9% uptime SLA
  • • Redundant infrastructure across multiple AWS regions
  • • Automated failover and disaster recovery
  • • Real-time monitoring and alerting
  • • Scheduled maintenance windows with advance notice

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized:

  • • Input validation and error handling
  • • Automated data quality checks
  • • Transaction logging and audit trails
  • • Regular reconciliation processes
  • • Version control and change management

Confidentiality

Confidential information is protected as committed or agreed:

  • • Encryption of all sensitive data
  • • Strict access controls and need-to-know basis
  • • Non-disclosure agreements with employees
  • • Secure data disposal procedures
  • • Data classification and handling policies

Privacy

Personal information is collected, used, retained, disclosed, and disposed of properly:

  • • GDPR and CCPA compliance
  • • Clear privacy policies and user consent
  • • Data subject rights (access, deletion, portability)
  • • Privacy by design principles
  • • Regular privacy impact assessments

Annual Audit Process

TuskCPA undergoes a comprehensive SOC 2 Type II audit annually conducted by an independent third-party auditor. The process includes:

1. Audit Period (6-12 Months)

Auditors examine our controls over an extended period to verify they operate effectively, not just at a single point in time.

2. Control Testing

Auditors test a sample of controls across all Trust Service Criteria, reviewing policies, procedures, system configurations, and evidence of control execution.

3. Evidence Review

We provide extensive documentation including security policies, change logs, access reviews, incident reports, and system monitoring data.

4. Audit Report

Upon successful completion, auditors issue a SOC 2 Type II report detailing our controls and their effectiveness. This report is available to customers under NDA.

Requesting a Copy of Our SOC 2 Report

Our SOC 2 Type II report is available to current and prospective customers under a Non-Disclosure Agreement (NDA). To request a copy:

  1. 1. Contact our security team at tuskcpa@gmail.com
  2. 2. Sign and return our standard NDA (or provide your company's NDA for review)
  3. 3. Receive secure access to the full SOC 2 report and supporting documentation

The report is typically provided within 1-2 business days after NDA execution.

What This Means for You

Peace of Mind: SOC 2 Type II certification means your client data is protected by enterprise-grade security controls that have been independently verified. You can confidently store sensitive financial information on our platform.

For Accounting Firms

  • Meet Professional Standards: Comply with AICPA and state board requirements for data security
  • Client Assurance: Demonstrate to your clients that you use audited, secure systems
  • Risk Management: Reduce your firm's liability and professional risk
  • Due Diligence: Simplify vendor due diligence with our SOC 2 report

For Your Clients

  • Data Protection: Personal and financial information is safeguarded
  • Regulatory Compliance: Helps you meet compliance requirements (GDPR, CCPA, etc.)
  • Business Continuity: Your data is backed up and recoverable
  • Trust: Work with a platform that takes security seriously

Additional Security Resources

Data Encryption

Learn about our encryption standards

Access Controls

Role-based permissions and MFA

Audit Logs

Track all system activity

Backup & Recovery

Business continuity and disaster recovery

Security Questions?

Our security team is available to answer your questions about our SOC 2 compliance and security practices.

Contact Security TeamPrivacy Policy
Back to Documentation