System and Organization Controls (SOC) comprise a set of control frameworks that independent auditors use to validate and certify an organization’s systems and policies with respect to security and data protection. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place.
As part of our commitment to keeping customer data secure and private, Bitwarden performed an audit with AuditOne, LLP, to cover the most important facets of data security regarding our processes for systems, employees, and security controls.
This audit serves as a declaration that Bitwarden operates holistically in the best interests of our customers and their data, taking every reasonable precaution.
The following certifications were achieved by the Bitwarden team:
2021 SOC 3 Report - Download the PDF
2020-2021 SOC 2 Type II (available upon request)
2020 SOC 3 Report - Download the PDF
SOC is driven by the Association of International Certified Professional Accountants or AICPA.
SOC 2 is the SOC for service organizations report focused on trust services criteria. AIPCA describes SOC 2 as the report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
According to the AICPA, the use of these reports is restricted. For SOC 2 report inquiries, please contact our sales team.
The SOC 3 report provides a summary of the SOC 2 report that can be distributed publicly. According to the AICPA, SOC 3 is the SOC for service organizations report on trust services criteria for general use.
Bitwarden makes a copy of our SOC 3 report available here.
SOC information from AICPA: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html
These SOC certifications represent one facet of our commitment to safeguarding the security and privacy of customers, and compliance with rigorous standards. Bitwarden also performs a regular cadence of audits on our network security and code integrity, which you can find here:
Editor's Note This blog was originally published on August 25, 2020 and updated on September 13, 2021