|
SOC 2 Type 2 Certified Independently audited by Thoropass Type 2 observation period: 1 October 2025 to 31 March 2026 |
Security is not a feature you bolt on. It is the foundation everything else rests on. For the organisations that rely on us, how we handle your data sits at the heart of the service we provide.
What SOC 2 Type 2 actually means
A continuous standard, not a snapshot
SOC 2 is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA), designed specifically for service organisations that handle customer data. It assesses controls across five trust principles: security, availability, processing integrity, confidentiality, and privacy.
Type 1
A point-in-time report
Confirms that the right controls exist on a given day. The foundation we built first, before extending into continuous verification.
Type 2
A continuous, verified standard
Verifies that the same controls have operated effectively across an extended observation period. Stronger and more meaningful assurance for your organisation.
Six months of evidence collection and independent testing
| 1 October 2025 | 31 March 2026 |
months of continuous
independent observation
Controls tested across the full operating environment
What we had to demonstrate
Achieving Type 2 required Submit.com to evidence the effective operation of controls across our entire platform and engineering practice. Each control was independently tested and each piece of supporting evidence reviewed in turn.
Principle of least privilege applied across all production systems
Every code change reviewed, approved, and fully traceable
Ongoing surveillance of our infrastructure, around the clock
Documented procedures, tested and verified under real conditions
Third-party risk assessed and documented throughout the audit period
Data protected in transit and at rest, across every layer of the platform
Why this matters to you
Practical reassurance
For the organisations that rely on Submit.com to run grant schemes, awards programmes, and scholarship processes, SOC 2 Type 2 certification translates into something concrete.
Procurement made simpler
Many organisations, particularly in the public sector and regulated industries, require SOC 2 Type 2 as a baseline for vendor onboarding. Our certification supports your due diligence with a recognised external standard.
Independent assurance
You no longer need to take our word for it. Thoropass examined our controls, tested them across the full six-month observation period, and issued a favourable formal opinion.
A higher operating standard
Maintaining Type 2 is not a one-off exercise. It commits us to running the same disciplined controls year-round. The next audit period has already begun.
Aligned with how you operate
Whether you are handling personal data under GDPR, grant funds under public accountability rules, or sensitive nominations under confidentiality agreements, our controls are built to meet you where you work.
Security as an ongoing discipline
This milestone realises a years-long commitment to a core Submit.com belief: that lasting trust is earned by taking the time to get things right. Type 1 was the foundation we built first. Type 2 is the discipline we now hold ourselves to, every day.
Certification is a mark of approval, not a final destination. The teams behind Submit.com will continue the ongoing work that underpins this standard: monitoring, reviewing, and improving the controls that keep your data safe.
We are proud of this achievement, but prouder still of what it represents. A way of working that puts your trust at the centre of our software, not as a feature, but as a foundation.
Frequently asked questions
What is SOC 2 Type 2 certification?
SOC 2 is an auditing framework developed by the AICPA that assesses security controls across five trust principles: security, availability, processing integrity, confidentiality, and privacy. A Type 2 report verifies that those controls have operated effectively across an extended observation period, not just on a single day.
What is the difference between SOC 2 Type 1 and Type 2?
A Type 1 report confirms that the right controls exist on a given day. A Type 2 report verifies that those controls have operated effectively and consistently over an extended period. Submit.com holds both certifications, having achieved Type 1 in 2025 and Type 2 in May 2026 following a six-month independent audit.
Who conducted the Submit.com SOC 2 audit?
Our audit was conducted by Thoropass, a specialist compliance firm trusted by hundreds of technology companies for independent SOC 2 attestation. The observation period ran from 1 October 2025 through 31 March 2026, covering a full six months of continuous evidence collection and independent testing.
Can I request a copy of the SOC 2 Type 2 report?
Yes. Existing customers and prospective partners can request access to the report by contacting the Submit.com team directly. We are happy to share it as part of your vendor due diligence or procurement process.
Does this certification apply to grant management and awards management workflows?
Yes. The controls assessed during the audit cover Submit.com’s entire platform and engineering practice, including all workflows used for grant management, awards management, scholarship management, and application processing.
Want to review our SOC 2 Type 2 report?
Existing customers and prospective partners can request access to our full audit report for use in vendor due diligence and procurement processes.