Backstroke Is SOC 2 Type II Certified: Here's Why That Matters for Enterprise eCommerce

Backstroke has officially achieved SOC 2 Type II certification, independently audited and verified by Johanson Group LLP. This post explains what that means, why it's especially meaningful for a young company and why it matters if you're an enterprise brand evaluating AI-powered email marketing tools.

What SOC 2 Type II Actually Means

SOC 2 is an independent attestation framework developed by the American Institute of Certified Public Accountants (AICPA). It measures whether a company's systems and controls meet rigorous criteria across five Trust Services dimensions: Security, Availability, Processing Integrity, Confidentiality and Privacy. 

And this degree of trust for SaaS vendors is critical, as 83% of enterprise brands require SOC 2 before signing contracts with them. 

SOC 2 comes in two forms. Type I is a point-in-time snapshot, confirming that controls are designed correctly as of a single date. Type II goes further, requiring a licensed CPA firm to monitor how those controls actually operate over a sustained observation period (in our case, a full quarter). Auditors inspect logs, test access controls, review change management tickets, examine vendor contracts and sample evidence across months of real operations. At the end of this time period, the firm will issue a formal opinion that puts their license behind the findings.

In plain terms, Type II confirms what our security actually looks like, verifying it thanks to an independent third party, over time. 

The AICPA states that SOC 2 Type II examination provides "detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users' data."

Our report came back with no exceptions noted across all tested controls.

Why Is SOC 2 Type II Certification Significant for a Company Our Age?

Backstroke was founded in February 2024. Achieving SOC 2 Type II around our second birthday puts us in rare company.

Most SaaS vendors pursue their first SOC 2 audit much later, when they have 30–80 employees. The process itself takes 9–18 months end-to-end: several months of readiness work, a multi-month operating observation window, then fieldwork and reporting. 

This all means we began building formal, auditable security controls in year one, and we’ve been operating in SOC 2 compliance for a long while. The controls, policies, encryption standards, access management procedures and incident response protocols that Johanson Group audited have been in place and functioning. The Type II report is not evidence that we became secure, but rather a third-party auditor's formal confirmation, after months of observation, that we already were.

Think of it as the stamp of approval on things we were already doing.

Why Do Enterprise Brands Require SOC 2 Type II Certification?

If you work in procurement or security at a mid-to-large enterprise, this certification is likely a standard gate in your vendor evaluation process. And for good reason.

According to Verizon's 2025 Data Breach Investigations Report, third-party involvement in data breaches doubled year-over-year to 30% of all incidents. When an enterprise brand shares customer data with a marketing platform, that platform becomes a potential vector for the brand's risk. Every vendor relationship is an extension of your attack surface.

The SOC 2 Type II report directly addresses that risk. It covers the controls that enterprise procurement teams care most about: role-based access controls, encryption at rest and in transit, multi-factor authentication, change management, incident response, business continuity planning and vendor risk management. Rather than requiring your security team to work through an extensive questionnaire, a current Type II report provides the independent, structured evidence your team needs to make a vendor decision with confidence.

According to Vanta's 2025 State of Trust Report, 72% of organizations say security risks have "never been higher," up from 55% in the 2024 report. The bar is rising, and the companies that meet it this early have a real advantage.

The AI Marketing Problem: Most Tools Can't Say This

The enterprise AI tool landscape is fragmented. A significant portion of AI tools marketed to eCommerce brands—particularly the newer, faster-moving ones—have not completed a SOC 2 Type II audit. Many haven't completed any SOC 2 audit at all.

This creates a real problem for enterprise brands. IBM's Cost of a Data Breach Report 2025 found that shadow AI—employees using AI tools that haven't been reviewed or approved by IT and security—added an average of $670,000 to breach costs when incidents occurred. Cisco's 2026 Data and Privacy Benchmark Study found that 75% of organizations report having a dedicated AI governance body in place, signaling that AI oversight and data governance have become critical organizational priorities.

The brands we work with operate at a level of scale and scrutiny where that can't be hand-waved. Brands like Cozy Earth and Thirdlove are companies with real security review processes, real procurement teams and real consequences if a vendor relationship goes wrong. We built Backstroke to serve brands at that level, which means we have to meet the bar those brands set.

SOC 2 Type II is that bar.

What We Were Actually Audited On

For security teams reading this, here's a summary of the trust services criteria covered in our Type II report:

• CC1: Control Environment — code of conduct, board independence, background checks, security awareness training, performance accountability

• CC2: Communication and Information — internal and external communication of security policies and commitments

• CC3: Risk Assessment — annual risk register, threat identification and ranking, fraud risk consideration, change impact evaluation

• CC4: Monitoring Activities — continuous security monitoring, capacity monitoring, annual internal control self-assessment

• CC5: Control Activities — documented security policies, change management procedures, employee accountability

• CC6: Logical and Physical Access Controls — role-based access, MFA, new hire access provisioning, annual access reviews, terminated user offboarding, perimeter protection, TLS encryption, anti-malware

• CC7: System Operations — quarterly vulnerability scans, annual third-party penetration testing, intrusion detection, incident response, disaster recovery

• CC8: Change Management — ticketed change requests with management approval, segregated development and production environments, SDLC policy

• CC9: Risk Mitigation — business continuity plan, disaster recovery plan, vendor management with signed contracts and compliance requirements

The full report was produced by Johanson Group LLP, a licensed CPA firm based in Colorado Springs. All tested controls returned with no exceptions noted.

What Does This Mean If You’re Considering Backstroke?

If you're a security or procurement professional evaluating Backstroke and need documentation, we can provide the SOC 2 Type II report under NDA. Reach out to your Backstroke contact or email us directly.

If you're a marketing leader whose deal has been on hold pending a security review, this is the milestone that clears that gate. The credential is current, the audit was clean and the controls it verifies were in place long before the audit window opened.

We're proud of this milestone. It reflects the kind of company we've been building from the beginning—one that takes the responsibility of handling customer data seriously, and one that enterprise brands can trust.