At the Finish Line: A SOC 2 Type II Update from Backstroke

If you've been following along over the last several months, you know we've been quietly (and sometimes loudly) stacking brick after brick on our security wall. Encrypted API keys. MFA. Shorter session durations. Password complexity. A full rebuild of how we store and handle the credentials that connect to your Klaviyo account.

Today we get to share the next milestone on that road.

Backstroke's SOC 2 Type II audit is at the finish line. Our Type II observation window (January through March 2026) is complete. 100% of our control evidence has been reviewed by our independent auditor. The work is done. What's left is paperwork: the auditor's official attestation report, which is being finalized now.

We'll fast-follow with the "stamped, signed and shipped" announcement the moment that report lands. In the meantime, the substance is what matters: the controls our customers care about have been operating, observed, and reviewed for a full quarter.

What SOC 2 Type II Actually Means (In Plain English)

SOC 2 is the security audit that enterprise buyers care about. It's issued by an independent, third-party CPA firm under standards set by the AICPA, and it evaluates whether a software company actually does what it claims to do when it comes to protecting customer data.

There are two flavors:

• Type I is a point-in-time snapshot. Essentially: "On this specific day, your controls were designed correctly."

• Type II is a multi-month observation period. It answers a harder question: "Did your controls actually work, day in and day out, over the course of several months?"

Type II is the one that matters. It isn't a single performance for the auditor, but proof that the way we handle your data is the way we handle your data every day.

That's the audit Backstroke is on the verge of completing.

Where We Are Right Now

The plain-English status:

• Observation window: January 1 through March 31, 2026. Closed.

• Evidence requests: 66 control evidence items. 100% completed.

• Auditor review: Complete.

• Final attestation report: Being prepared by our independent auditor. Expected shortly.

When the report lands, we'll publish a follow-up announcing the official Type II attestation and explaining how customers and prospects under NDA can request a copy.

Why We Did This

We'll be honest. A SOC 2 Type II audit is a lot of work. It touches engineering, IT, HR, legal, data architecture, vendor management and roughly every other corner of the company. But we committed to it for three reasons.

1) Enterprise customers need it. When a brand with a large subscriber list and a real legal team is evaluating Backstroke, "trust me" doesn't cut it. SOC 2 Type II is the credential that unblocks the procurement review, satisfies the security questionnaire and gets the contract signed.

2) AI marketing tools deserve extra scrutiny, and rightfully so. Backstroke's agents work with your customer data, your creative assets and your sending infrastructure. The standard for any company handling data like that should be high. The standard for an AI company handling it should be higher.

3) Because we wanted to. Our customers trust us with meaningful pieces of their marketing operation. The right response to that trust is to meet it with real, audited rigor, not a confident-looking pitch deck.

The Road That Got Us Here

This audit is the culmination of work we've been shipping in public since late 2025.

In our November 2025 security release, we rolled out:

• Encrypted Klaviyo API key management via AWS Secrets Manager, meaning no one (including Backstroke employees without proper permissions) can view integration credentials.

• Multi-factor authentication (MFA) on every account, soon to be the default login method across the platform.

• Reduced session durations to 8 hours by default, with custom shorter windows available for enterprise teams.

• Password complexity requirements and self-serve password changes.

In December, we launched our L5 Agentic Engine in a SOC 2-ready environment, meaning every piece of that new dynamic email generation stack was designed from day one to live inside our audit scope.

In February, our Hero Lab release signaled that we were actively working toward full SOC 2 compliance alongside shipping AI-generated hero images and Predictive Templates.

And earlier this month, with the launch of Surge, our predictive content intelligence product for Klaviyo, we extended that same security posture to the drag-and-drop content block that now lives inside our customers' Klaviyo accounts.

Each of those releases was a deliberate step toward this finish line. We're about to cross it.

What's In Scope

Our SOC 2 Type II audit covers controls across the areas you'd expect from a modern SaaS platform handling customer data:

• Access management: how we grant, review and revoke employee and system access

• Encryption: at rest and in transit, including the AWS Secrets Manager architecture for integration credentials

• Change management: how code gets reviewed, tested and shipped to production

• Incident response: how we detect, investigate and communicate about security events

• Vendor management: how we vet and monitor the third parties we depend on

• Logging and monitoring: what we see, when we see it and how long we retain it

• Personnel security: background checks, security training and off-boarding

When the official attestation report is issued, customers and prospects under NDA will be able to request a copy through their account team.

What This Means If You're Already a Customer

You don't need to change a thing. Everything SOC 2 requires of Backstroke has been operating across the audit window. But if you're in the middle of a procurement review (internally or with a bigger brand you're pitching), here's what you can now say honestly, with the underlying engineering work to back it up:

• Backstroke's SOC 2 Type II observation window is complete.

• 100% of our control evidence has been reviewed by our independent auditor.

• The official attestation report is in final preparation.

• Integration credentials are encrypted and stored in AWS Secrets Manager.

• MFA is available on every account.

• Our controls are continuously monitored, not just set up and forgotten.

If your security or legal team previously flagged Backstroke as "promising but not ready for enterprise," we're a short window away from putting a third-party auditor's signature behind that conversation. It's a good time to circle back.

What This Means If You're Not a Customer Yet

Two things.

First: The most common blocker for bringing Backstroke into a larger brand has historically been "can your security story pass a procurement review?" The answer is materially closer to "yes, with documentation" than it has ever been before, and will be officially yes within weeks. If that conversation was pending at your company, it's time to restart it.

Second: Security is no longer a reason to delay adopting AI in your marketing stack. The argument that AI tools are inherently unsafe to introduce made some sense when the category was brand-new and nobody had done the work. In 2026, it doesn't. A SOC 2 Type II audit on the verge of attestation is the same scrutiny any mature SaaS vendor is held to, applied to an AI marketing tool, and we are about to be on the other side of it.

What's Next

The official report. We'll announce it the moment it lands.

Beyond that:

• Type II compliance comes with an ongoing observation window, continuous controls monitoring and an annual recertification. We're already in that cycle, which means we're not going to pass this audit once and coast. It's just how Backstroke operates now.

• We're evaluating the next layer of certifications and frameworks our customers are asking about, including additional privacy-focused attestations for buyers in regulated verticals and expanded tooling for our European customers. We'll share more on each as they ship.

Until then, keep surging, keep shipping and keep sending the kind of email campaigns that make people actually read their inbox. The third-party auditor's receipt is on its way. We'll share it the moment it's ours to share.

Ready to bring Backstroke into your stack, security review and all?

• Request a demo and we'll walk your team (and your procurement team) through where we are and what's coming.

• Already a customer? Reach out to your account manager about timing on the SOC 2 Type II report.