Security has always been a priority for us at CloudMailin. As an email provider a lot of your data passes through our systems on its way to your application, and over the years customers have quite reasonably asked us to demonstrate how we look after it. We're pleased to say that we've now completed our first SOC 2 Type 2 examination, carried out by the independent auditors at BARR Advisory.
It's worth being clear about what a SOC 2 report actually is, because it's often misunderstood. It isn't a certification and there's no badge that means you've "passed". Instead an independent, accredited CPA firm examines the controls we say we have in place, gathers evidence, and writes up their own opinion on whether those controls are designed properly and operating as they should. The result is a detailed report that you can read for yourself, rather than a logo that asks you to take our word for it.
There are two kinds of SOC 2 report and the difference between them matters. A Type 1 report looks at whether the controls are designed correctly at a single point in time, whereas a Type 2 report goes further and checks whether those controls actually operated effectively over a period of time. Ours is a Type 2, covering three months of evidence, which we think is the more meaningful of the two.
A SOC 2 examination is a lot of work, but very little of it changed how we run CloudMailin day to day. Automated vulnerability scanning, keeping systems and dependencies patched, reviewing who has access to what — that has been going on quietly in the background for years. The examination mostly gave us a way to write it down and have someone independent confirm it's real.
Our servers are a good example. Rather than logging in to patch and upgrade a machine in place, we build from a known-good image and replace it — the old server is retired, not maintained. Staying current stops being a chore someone has to remember and becomes a side effect of how we deploy.
One thing a SOC 2 report doesn't do is test the security of the product itself. It examines our controls and processes — how we manage access, encryption, monitoring and incident response — rather than actively trying to break into the service the way an attacker would. Both matter, but they answer different questions.
That's why, alongside the SOC 2 examination, we also commission independent penetration testing from a CREST-accredited firm. Where SOC 2 looks at whether our controls are designed and operating as they should, a penetration test is adversarial: security specialists probe the live service from the outside, hunting for weaknesses, and we work through whatever they report back. It's the engineering-led counterpart to the process-led assurance a SOC 2 report gives you.
A SOC 2 report is a restricted document, so rather than publishing it we share it with customers and prospects under NDA. There's a summary of how we approach security on our Security and Privacy page, and if your security team would like to see the full report you can contact us and we'll send it over.
Completing a Type 2 is a milestone for us, but the practical takeaway is simpler than that. The controls that look after your email every day are the ones an independent CPA firm examined for our SOC 2 report, and you're welcome to read it for yourself.
If you're going through a SOC 2 examination yourself and looking for an auditor, we'd happily recommend BARR Advisory — they made the process genuinely straightforward.
CloudMailin Team
3 Nov 2020
CloudMailin Team
1 Jul 2020
CloudMailin Team
6 Feb 2026
