SFTP To Go has officially completed its first SOC 2 Type II audit. This independent assessment verifies that we operate in line with the AICPA’s Trust Services Criteria for security, availability, and confidentiality.

The SOC 2 Type II report confirms not just that we have appropriate controls in place, but that those controls are enforced consistently over time. For customers in regulated industries (or any business that values secure, reliable operations) this milestone offers additional assurance that SFTP To Go meets the standards required for handling sensitive data.

What SOC 2 compliance involves

SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) to assess how service providers manage data. The SOC 2 Type II audit we completed evaluates whether our controls function effectively over an extended period, typically six to twelve months.

The audit focused on:

  • Security: Preventing unauthorized access to systems and data
  • Availability: Ensuring the platform is reliable and consistently accessible
  • Confidentiality: Restricting data access to only those with a legitimate need

This process involved a full evaluation of how our infrastructure is built, monitored, maintained, and audited.

How SFTP To Go supports secure operations

We’ve built SFTP To Go with a foundation of secure practices that align closely with SOC 2 expectations:

  • Hosting on redundant AWS infrastructure across multiple availability zones
  • Encryption in transit (TLS) and at rest (AES-256)
  • Support for SSH key authentication
  • Fine-grained user permissions and IP whitelisting
  • Live system monitoring and automated recovery
  • Version-controlled, tested deployments
  • Comprehensive audit logging and webhook notifications
  • Optional bring-your-own-bucket support for storage control

These aren’t add-ons, by the way, they’re baked into how the service runs,and they’re just a few of our many features.

Internal practices behind the scenes

Our internal policies govern how access is provisioned, how data is classified, how changes are reviewed, and how incidents are managed. All employees complete regular security training and sign confidentiality agreements. Policies are reviewed annually or when significant changes occur. Updates are communicated internally to ensure consistent enforcement.

This audit confirms that these policies aren’t theoretical. Instead, they’re practiced across every layer of our operations, internal and public-facing.

Get the full SOC 2 report

If you want to know more, you can access our latest SOC 2 Type II report through the SFTP To Go Trust Center.