Announcing our SOC 2 Type 2 Report

Today, we’re excited to announce that we have successfully completed System and Organization Controls (SOC) 2 Type 2 testing with no findings. The report is available via the ngrok security and trust portal.

This audit follows the SOC 2 Type 1 we announced in March. In short, the Type 1 audits that our process and operations are in place while the Type 2 audits that we follow them day to day. While this is straightforward in explanation, it’s more complicated in practice.

How does this impact customers?

Completing this audit does not change the day to day operation of the company or the behavior of the system itself. What it does do is confirm that our processes - both as written and implemented - protect the security of our systems and customer data.

At a practical level, our employees must use MFA, have limited access to certain systems, and get access reviewed periodically to ensure only the right people have access to the right things for the right reasons. We ensure there are code reviews and pull requests before merging any pull request and there’s automation to deploy everything. Not only does it ensure repeatability but it limits outside interference and many simple mistakes. Finally, our logging and notification systems can detect and alert people when there are issues that need our attention. Check out our SOC 2 type 2 report for everything that was tested.

Fundamentally, the SOC 2 Type 2 controls are good principles for system design and operation in general. This audit documents that our practices meet those principles.

What’s Next?

SOC 2 Type 2 is a great accomplishment and we’re very proud of it. At present, we have a strong foundation to build towards other compliance certifications and audits and our roadmap will be influenced by customer needs. If you’re one of those customers who needs ISO/IEC 27001, HIPAA compliance, PCI DSS, or others, let us know via email at

All reports are available upon request at the ngrok security and trust portal.

If you’re looking for an informative,”tell it like it is” take on SOC2 compliance, the ngrok team has enjoyed “The SOC2 Starting Seven”. Whether SOC2 is in your future or not, the practices will make your organization more secure and your processes repeatable.


The engagement was performed by BARR Advisory, P.A. BARR Advisory is a cloud-based security and compliance solutions provider, specializing in cybersecurity and compliance for Software as a Service (SaaS) companies. A trusted advisor to some of the fastest growing cloud-based organizations around the globe, BARR simplifies compliance across multiple regulatory and customer requirements in highly regulated industries including technology, financial services, healthcare, and government.

Share this post
Arianna Willett
Ari is the Senior Director of Security Risk & Trust at ngrok. Over the course of her career, She built and ran security programs for companies ranging in size from startups to the Fortune 200, including Twilio, Okta, and Deloitte. She has a passion for building and scaling security teams and promoting security best practices.