SOC 2 Type II
SOC 2 Type II (AICPA TSC)
Overview
SOC 2 Type II, defined by the AICPA Trust Services Criteria (TSC), provides independent attestation that IOF's security, availability, confidentiality, and privacy controls operate effectively over a sustained period. IOF engineers all five TSC categories from day one. A Type I readiness assessment is scheduled for 2026 Q3; the Type II observation window opens 2027 Q1.
Scope
Applies to the entire IOF platform — all services (rail-api, ledger-service, analytics-api, obp-gateway), all AWS infrastructure, all Cloudflare edge layers, and all authentication flows (Clerk).
Key Controls
- Audit trails on all data access (who, what, when, why — structured JSON)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- ABAC access controls logged via Cerbos policy engine
- Change management via Git-reviewed, CI-validated PRs
- Incident response with fingerprinted failure pipeline
- Availability: multi-region, zero SPOF architecture
- Privacy: GDPR-aligned data minimisation and consent management
Certification & Audit
AICPA-certified CPA firm (selection in progress for 2026 engagement)
2026 Q3 — Type I readiness assessment; 2027 Q1 — Type II window opens
Evidence Bundle
Evidence bundle available on request
Contact compliance@islamicopenfinance.com to request the evidence pack for this framework. We typically respond to audit requests within two business days.