Semaphore is now SOC 2 Type 2 Certified →

We just got our SOC 2 Type 2 certification at Semaphore. This means we’ve proven our security practices work consistently over time, not just on paper. Protecting our customers’ code and data has always been a top priority for us, and now we have the audit to back it up.

The difference between Type 1 and Type 2 matters here. Type 1, like ISO 27001 which Semaphore has been certified to since 20201, is a snapshot – it shows your security controls look good on a specific day. Type 2 proves you’re actually following these practices over months of real operations. It’s the difference between having a gym membership and showing you actually go regularly.

Getting here wasn’t quick or easy. Unlike typical product work, there’s no definitive specification for SOC 2. No clear manual that says “do exactly these things and you’ll pass.” Instead, you’re working with broad principles about security, availability, and confidentiality that you have to interpret and implement in the context of your specific business.

I’m very proud of our small security team who turned these vague compliance requirements into real, practical security improvements across the organization.

To our customers: this certification confirms what we’ve been doing all along – treating your code and data with the care it deserves. To anyone considering Semaphore: this is what we mean when we say security is built into how we operate, not bolted on later.