← Blog

Updates,

Saleor Achieves SOC 2® Type 2

Mikail Kocak
Saleor SOC 2 Compliance Cover

Saleor has completed its SOC 2 Type 2 report. This is an independent audit that validates our security controls don't just exist on paper — they actually work, consistently, over time.

What is SOC 2 Type 2

SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating how organizations protect customer data. It covers things like unauthorized access, data breaches, and operational risks that could affect customers.

There are two levels. A Type 1 report evaluates whether your controls are designed properly at a single point in time. A Type 2 report goes further: it validates that those controls actually work over a sustained period of time.

Type 2 is what most enterprise procurement processes require.

Why we did this

When you're running commerce at scale, your security posture affects your customers too. Enterprise buyers need to know their vendor has real controls in place — SOC 2 Type 2 is one of the standard ways to demonstrate that.

Security has been part of how we build and operate Saleor from the start. This report formalizes what was already in practice.

The audit

Our report was issued by MJD, a licensed CPA firm and Drata partner.

  • Trust Service Criteria: Security
  • Audit period: October 2, 2025 – January 2, 2026
  • What was validated: Ongoing effectiveness of security controls (SOC 2 Type 2)

The scope covers access management, change management, incident response, risk management, and infrastructure operations.

Following this initial report, we've entered a 12-month observation period with the goal of producing a longer-duration Type 2 report covering a full year of operations.

The report

If you're evaluating Saleor, we're happy to walk you through our security practices and compliance approach.

FAQ

Is Saleor SOC 2 compliant?

Saleor has completed a SOC 2 Type 2 report covering the Security Trust Service Criterion, based on an independent audit performed by a licensed CPA firm.

Does SOC 2 mean Saleor is "certified"?

SOC 2 is not a certification, it is an independent attestation report issued by a CPA firm evaluating an organization's controls.

Which Trust Service Criteria does Saleor cover?

Saleor's SOC 2 Type 2 report covers the Security criterion.

Why does SOC 2 Type 2 matter for enterprise ecommerce?

Type 2 demonstrates that security controls operate effectively over time which is a key requirement for enterprises running high-volume, business-critical commerce systems.

Get more useful guides, tech insights, and free learning materials by subscribing to our list.
All human-written!

By registering you agree to our Privacy Policy.
The form is protected by reCAPTCHA - Privacy Policy and Terms of Service.