Thorn Street completes SOC 2 Type 1 examination
Connor Jennings
Thorn Street has completed a SOC 2 Type 1 examination against the Security Trust Services Criteria. The examination was performed by Johanson Group. The auditor issued an unqualified opinion, with no exceptions noted in the examination. In audit terminology, an unqualified opinion is the strongest possible result: the auditor signed off with no reservations attached.
Why we did it
Data is our business. Customers trust us with the systems and information their operations depend on, and location data is sensitive in ways that aren't always obvious: geography is identity, maps expose patterns, combined datasets inherit every restriction of their sources. We hold our own infrastructure to the same standard we apply to customer work.
What was examined
A SOC 2 Type 1 examination evaluates two things: whether a company's description of its system is accurate, and whether the controls in that system are suitably designed to meet the Trust Services Criteria. An independent CPA firm inspects the system, the policies, and the evidence, then issues an opinion.
The scope covered our production environment end to end: identity and access management, change management, encryption at rest and in transit, endpoint protection, monitoring, incident response, vulnerability management, backup and recovery, and vendor risk management. The report also documents the physical security chain down to the specific facilities where our hardware runs.
How we approached it
Most companies buy a third-party compliance platform to get through SOC 2. We built evidence collection into our own infrastructure instead. Each control is mapped to the system that demonstrates it, and evidence is generated by the systems doing the work rather than assembled after the fact. When audit time came, the auditors reviewed the evidence where it lives, through read-only access to our systems.
We could take this approach because we started clean. The controls in this report weren't retrofitted onto an existing company. They were built into the infrastructure from the start.
It also reflects how we operate generally: we run our own infrastructure, control our own data, and understand our systems well enough to prove their behavior.
Why this matters
An independent firm examined how Thorn Street is built and found controls designed to do what we claim, with an unqualified opinion and no exceptions noted. A security posture is easy to claim. Ours has been independently examined.