Goldsky is now SOC 2 Type II attested

Today, Goldsky completed its first SOC 2 Type II audit. The report covers our security, availability, and confidentiality controls over a full observation period and is available on request.

First, a thank you to the team who put up with my tickets and reminders for over a year 🙂

Owned by engineering

Our engineering team built our security program into into the systems we operate every day. Most codified how we already worked, with the audit as the forcing function to write them down, close edge cases, and automate where useful.

We wanted to clear SOC 2 on hard mode and do more than the framework required, because every policy had to meaningfully improve our security. Where the framework prescribed processes we wouldn't otherwise run, we did the extra work of showing the auditor that our production already covered the underlying risk. Where it set a minimum, we set ours higher.

Audits happen once a year but production runs continuously. Controls strong enough for production are easily strong enough for audits.

The report establishes a floor of security practice. Treating it as engineering work rather than a checklist to pass is what makes that floor sit high enough to reliably protect the data running through us.

What this means for customers

If you build on Goldsky to run subgraphs, streaming pipelines, RPCs, or onchain automations, your workloads sit on infrastructure with independently attested controls for security, availability, and confidentiality. The attestation is something you can use downstream for your own customers, regulators, or anyone asking how your vendors handle security.

For teams shipping stablecoin infrastructure, payment rails, prediction markets, or anywhere customer data and money moves through the application, our SOC 2 attestation puts third-party rigor behind the foundation you're building on.

A note on SOC 2 Type II terminology

SOC 2 is often referred to as a certification, but the formal outcome is an independent attestation. There's no certificate. An accredited CPA firm evaluates the design and operation of a company’s controls over a defined observation period and issues a report documenting the results.

A Type II report goes beyond reviewing whether controls exist on paper. It evaluates whether those controls operated effectively throughout the audit period. The result is a detailed report that customers, partners, and auditors can use as part of their own security and vendor risk reviews.

For our SOC 2 Type II report or any other security questions, reach out to our team at [email protected].