You’re 15 minutes away from fewer bugs and almost no test maintenance Request a Demo Now
Turn your manual testers into automation experts! Request a DemoStart testRigor Free

SOC 2 Type II Report on Controls

Martin Naranjo

Security that supports Your Business Objectives.

What Is SOC 2?

When you hand over data to a software vendor, you need more than a promise that it will be safe. You need evidence. SOC 2 is one of the most widely recognized frameworks in the industry for providing exactly that.

SOC 2 is developed by the American Institute of Certified Public Accountants (AICPA). It is designed for service organizations — companies like testRigor that process, store, or transmit data on behalf of their customers. A SOC 2 audit is an independent examination of the controls an organization has in place to protect that data, conducted by a certified third-party auditor.

The result is a formal report that gives customers, partners, and stakeholders an honest, unbiased view of how well an organization manages information security. In today’s market, SOC 2 is not a nice-to-have — it is a baseline expectation for any serious software vendor.

Why SOC 2 Matters to Your Business

Security is not just an IT concern. It is a business concern. When evaluating a new vendor, your procurement, legal, and security teams need to know that the tools you adopt will not introduce risk into your environment.

A SOC 2 report answers that question directly — backed by an independent auditor, not a self-assessment. It establishes trust, accelerates procurement decisions, and in many cases replaces the lengthy security questionnaires (often hundreds of questions long) that slow down vendor evaluations.

For SaaS companies, data centers, and managed service providers, SOC 2 has become a foundational requirement. If a vendor cannot produce one, it is a red flag. If they can, it signals that security is embedded in how they operate — not just how they market themselves.

Understanding the Trust Services Criteria (TSC)

SOC 2 reports are built around five Trust Services Criteria, each covering a different dimension of information security. Organizations choose which criteria to include based on the nature of their services and the risks relevant to their environment:

Security is the foundation of every SOC 2 report and is required in all audits. It covers how an organization protects its systems and data against unauthorized access — spanning organizational controls, risk assessment, logical security, and change management.

Availability addresses whether systems and services are operational and accessible as committed to clients. It covers redundancy, uptime, and controls that ensure services meet agreed service levels.

Confidentiality covers how sensitive information is protected — from the moment it enters the organization to the moment it is no longer needed. This applies to any data that is classified as confidential between testRigor and its clients.

Privacy addresses the handling of Personally Identifiable Information (PII) — any data that can be tied to a specific individual. It covers collection, use, retention, and disposal of personal data in line with privacy commitments.

Processing Integrity covers whether systems process data accurately, completely, and without unauthorized alteration. This criterion is highly specific to the nature of an organization’s product and services.

How testRigor Does It

We Chose the Highest One: SOC 2 Type II

Not all SOC 2 reports are equal. There are two types — and the difference matters.

A Type I report reflects a point-in-time snapshot: it confirms that controls are properly designed as of a specific date. A Type II report goes further — it examines whether those controls actually worked, consistently and effectively, over an extended period of time.

testRigor holds a SOC 2 Type II report with a 12-month audit period. This is a deliberate choice. A full year of coverage demonstrates that our security posture is not a performance for audit day — it is how we operate every day. It provides customers and partners with a significantly higher level of assurance than a shorter or point-in-time report.

We Included Every Applicable TSC

We evaluated all five Trust Services Criteria alongside our external auditors and included every category applicable to our product and operations: Security, Availability, Confidentiality, and Privacy.

Processing Integrity was carefully assessed and deliberately excluded. Given the nature of testRigor’s product — and based on the evaluation conducted with our external auditors — it does not apply to our environment. Every criterion we include is included with purpose, and that decision reflects both rigor and intellectual honesty about what our audit should cover.

Including four TSC categories represents a significant investment — in time, resources, and cost. We made that investment because our customers deserve a comprehensive, transparent view of how we manage their data.

A Dedicated Security Team

Security at testRigor is led by a Head of Security, Risk & Compliance who drives strategic initiatives across security, privacy, and operational risk — ensuring that our compliance program is always aligned with business objectives and market expectations. A dedicated Cybersecurity Engineer handles the hands-on implementation and ongoing management of our security controls.

Our engineering team is composed of experienced professionals trained in secure code development. Security is not reviewed at the end of a sprint — it is built into the development process from the start.

Automated Compliance and Continuous Monitoring

We use compliance automation software that consolidates all audit-related activity into a single system — evidence collection, readiness tracking, control monitoring, and management of audit requests. This gives us a clear, real-time view of our security posture at any point in time, not just during audit season.

Our automated tools detect control gaps in near real-time, verify cloud security configurations through direct integrations, and run Continuous Monitoring (ConMon) automations that keep our environment under constant observation. When something changes, we know about it immediately.

Risk Management and Maturity

Our security program is built on maturity models — meaning we do not just ask whether controls exist, we measure how effective and mature they are, and we set targets to improve them continuously. Risk management is centralized across the entire company and aligned with the NIST framework, one of the most respected risk management standards globally.

Security Awareness Across the Organization

Every testRigor employee — regardless of role — participates in regular security awareness training and campaigns. Security culture starts with people, and we invest in making sure everyone on our team understands their responsibilities and the risks associated with the data we handle.

What This Means for You

Choosing testRigor means choosing a vendor that has been independently verified — not just once, but across a full year of operations — to meet the controls of SOC 2 Type II.

In practical terms, this means:

  • Your data is protected by controls that have been tested and confirmed effective over time, not just on paper.
  • Our security practices are aligned with internationally recognized criteria that your procurement and security teams will recognize and accept.
  • You can accelerate your vendor evaluation process — our SOC 2 report can replace or significantly reduce the burden of lengthy security questionnaires.
  • We operate with transparency. Our Trust Center gives you direct access to our security reports, certifications, and supporting documentation — available whenever you need it.

We believe that the best way to earn your trust is to show our work. Our SOC 2 Type II report is part of that commitment — and so is everything we do in between audits to make sure that commitment holds.

testRigor’s SOC 2 Type II audit covers Security, Availability, Confidentiality, and Privacy Trust Services Criteria over a 12-month period, conducted by an independent AICPA-accredited auditing firm. Reports are available upon request through our Trust Center.

Automate tests with plain English using Generative AI. Reduce QA overhead, increase coverage, efficiency and scalability.
Get Our Newsletter
We will send monthly testRigor updates on new features, upcoming events and links to recordings.
Email*
Product
Company
Security
Resources & Learning
© 2026 testRigor. All rights reserved.
Privacy Overview
This site utilizes cookies to enhance your browsing experience. Among these, essential cookies are stored on your browser as they are necessary for ...
Read more
Strictly Necessary CookiesAlways Enabled
Essential cookies are crucial for the proper functioning and security of the website.
Non-NecessaryEnabled
Cookies that are not essential for the website's functionality but are employed to gather additional data. You can choose to opt out by using this toggle switch. These cookies gather data for analytics and performance tracking purposes.