top of page
Search

Trust at the Core: EvenBetter Achieves SOC 2 Type 2 Certification

Pay equity data is among the most sensitive information a company can share. Here's how we're protecting it — and how we'll keep protecting it.

 

Why Trust and Privacy Are Foundational to Everything We Do

At EvenBetter, our mission is to help organisations close pay gaps and build fairer, more equitable workplaces. But to do that, our customers have to share something deeply sensitive with us: their pay data.

Compensation information isn't just commercially confidential — it's personal. It touches individual lives, shapes careers, and when handled carelessly, can expose organisations to significant legal and reputational risk. The companies that trust us with this data are placing enormous confidence in us, and we do not take that lightly.



"Trust isn't just a value for us

it's the foundation of everything we do."


From the moment we engage with a new customer, security and privacy aren't afterthoughts — they're built into every system, process, and decision we make. We architect our platform with data protection in mind from the ground up, and we hold ourselves to the highest standards so our customers never have to worry about whether their data is safe with us.

That's why achieving SOC 2 Type 2 certification is such a significant milestone for EvenBetter. It's not just a badge. It's independent, rigorous, third-party proof that our commitment to security is real, tested, and ongoing.

 

What Is SOC 2 — and Why Does It Matter?

For HR leaders and people professionals, navigating the landscape of cybersecurity certifications can feel overwhelming. So let us cut through the noise and explain what SOC 2 actually means, and why it's the gold standard you should be looking for.

SOC 2 — which stands for System and Organisation Controls 2 — is a framework developed by the American Institute of Certified Public Accountants (AICPA). It was specifically designed for technology and cloud service providers who handle customer data. Unlike some certifications that are self-assessed, SOC 2 is independently audited, meaning an external, accredited firm examines your systems and controls in depth.

SOC 2 audits assess organisations against five Trust Service Criteria:

  • Security — protecting systems against unauthorised access

  • Availability — ensuring systems are operational when needed

  • Processing Integrity — verifying that data processing is complete and accurate

  • Confidentiality — keeping sensitive information protected

  • Privacy — handling personal information in accordance with commitments and regulations

There are two types of SOC 2 reports. Type 1 verifies that a company has the right controls in place at a single point in time. Type 2 — the higher standard — goes much further. It evaluates whether those controls have been operating effectively over an extended observation period, typically six to twelve months. It's the difference between saying 'we have a fire escape' and proving that the fire escape has been properly maintained, tested, and used correctly every single day for the past year.

For HR managers evaluating technology partners who will handle sensitive workforce data, SOC 2 Type 2 is the certification that matters most. It tells you that a vendor's security posture isn't performative — it's verified, sustained, and real.

 

The Audit Process: Rigour You Can Count On

Achieving SOC 2 Type 2 is not a checkbox exercise. It is one of the most demanding compliance processes a technology company can undertake, and deliberately so.

The process begins well before the audit itself. We worked to ensure that every relevant control — spanning access management, encryption, incident response, vendor risk, and more — was not only documented but genuinely embedded in how we operate day-to-day. Policies had to be written, reviewed, and followed. Systems had to be configured correctly and consistently. And evidence of all of it had to be captured in an auditable, verifiable way.

The audit itself was conducted by an independent, accredited third-party auditing firm. Their role was to act as a rigorous, impartial examiner — not an advisor, not a consultant, but a body whose credibility depends on applying the highest standards of scrutiny.

What the auditors actually tested included:

  • Observation of live systems and controls in operation across the full audit window

  • Review of access logs, change management records, and security incident reports

  • Interviews with team members across engineering, operations, and leadership

  • Sampling of evidence to validate that controls were applied consistently over time

  • Testing of technical controls including encryption standards, authentication mechanisms, and network security

The observation window is what truly distinguishes Type 2. Auditors don't just look at what you have in place today — they assess whether your controls held up, day after day, across months of real operations. A single missed access review, an inconsistent patching cycle, a gap in logging — any of these could result in an exception in the final report. Passing Type 2 means demonstrating sustained, consistent security discipline at an operational level.

We're proud to say we passed. And the result is a formal, independently verified report that our customers and partners can rely on.

 

Ongoing Monitoring: Security That Never Stops

Receiving a SOC 2 Type 2 certification is a significant achievement — but our approach to security doesn't end with a certificate. The cyber threat landscape is dynamic, fast-moving, and unforgiving. New vulnerabilities emerge constantly. Attack techniques evolve. Regulatory expectations shift. A security posture that was best-in-class twelve months ago may be inadequate today.

That's why we've partnered with Vanta, the leading trust management platform, to ensure our security monitoring is continuous, proactive, and real-time.

Vanta integrates directly with our systems and infrastructure, providing automated, always-on monitoring across our entire technology environment. This means that rather than waiting for an annual audit cycle to identify a gap, we are alerted to potential risks and compliance issues as they emerge — sometimes within minutes.


"In an ever-changing security landscape, compliance isn't a one-time event. It's an ongoing commitment."


What continuous monitoring with Vanta means in practice:

  • Real-time alerts when controls drift from their required state, enabling immediate remediation

  • Continuous evidence collection, so we're always audit-ready — not scrambling to prepare when a review is approaching

  • Automated risk tracking across our vendor ecosystem, cloud infrastructure, and internal systems

  • Visibility into emerging threats, so our security team can act before risks become incidents

For our customers, this means that the rigour represented by our SOC 2 Type 2 certification isn't a historical snapshot — it's a living, continuously-maintained reality. We're not just compliant when the auditors are watching. We're compliant every day, and Vanta helps us prove it.

We believe that organisations working to close pay gaps and advance equity deserve a technology partner they can trust completely. Our SOC 2 Type 2 certification, backed by ongoing monitoring through Vanta, is our commitment to being exactly that.

 

If you have questions about our security posture or would like to request a copy of our SOC 2 Type 2 report, please get in touch with our team. We're always happy to talk trust.

— The EvenBetter Team

 
 
 

Comments

Your company can get EvenBetter

Learn more about EvenBetter

bottom of page