Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
QES
E-Signature
AML Screening
Transaction Monitoring
PEP & RCA
Sanctions
Watchlist
Adverse Media Screening
Business AML Screening
Behavioural Biometrics
Device Fingerprinting
1:1 Authentication
Fraud Hub
MFA
Onboarding
Ongoing Monitoring
Age Assurance
Identity Verification
KYC
KYB
KYI
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Global Trust Platform
Case Management
Journey Builder
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
Banking
Fintech
Crypto
Gaming
Forex
Social Networks
Marketplace
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Deepfake
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Bonus Abuse / Promotion Abuse
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
CERTIFICATION · SOC 2
AICPA reviewed a full year of Shufti’s operational evidence
Shufti holds SOC 2 Type II certification, assessed by an AICPA-registered CPA firm over a continuous 12-month monitoring period. Type I shows controls exist on audit day. Type II shows they operated consistently over time. We hold Type II, covering all five Trust Services Criteria.
What SOC 2 Is
SOC 2 is a framework defined by the American Institute of Certified Public Accountants (AICPA) for evaluating the security posture of service organisations. It is the enterprise SaaS procurement standard for verifying that a vendor's security posture is consistent, not curated for audit day. There are two report types and the difference between them is material.
SOC 2 Type I, what we didn't stop at
Type I assesses whether the right security controls are in place at a single point in time. It confirms design, not execution. A vendor can pass Type I while running controls inconsistently in the months before or after the audit. It tells you what the vendor had on one particular day.
SOC 2 Type II, what Shufti holds
Type II assesses whether controls operated effectively throughout a 12-month monitoring period. Shufti auditor reviewed intrusion detection logs, access provisioning records for every role change, encryption key rotation schedules, change management approvals, incident response evidence, and disaster recovery test outputs across the full period. Type II tells you whether the vendor lived the controls.
Why It Matters
More than two-thirds of enterprise B2B buyers require SOC 2 Type II before executing vendor contracts. Without it, identity verification implementations stall in security review regardless of technical capability. The SOC 2 Type II report eliminates the need for custom security questionnaires, your InfoSec team reviews the actual audit evidence instead.
Shufti's Type II report is evidence that Shufti controls worked consistently,
Across all five criteria, for a full year. Your team can review every control tested, every exception found, and every remediation taken, instead of sending us a 40-question questionnaire and hoping the answers are accurate.
12 months Continuous monitoring period
Assessed by an independent AICPA-registered auditor, not a point-in-time snapshot. All five Trust Services Criteria covered: Security, Availability, Processing Integrity, Confidentiality, Privacy.
How Shufti Maintains IT
Shufti current SOC 2 Type II report identifies the auditing firm, the 12-month monitoring period, the specific controls tested under each Trust Services Criterion, the evidence reviewed, and any exceptions, and how those exceptions were remediated. Subprocessors and their security obligations are disclosed in the report.
We maintain an active SOC 2 Type II report at all times. NDA-gated access typically takes one business day to arrange for enterprise clients and qualified prospects.
Certification Details
Criteria covered
All five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy.
Audited by
Independent AICPA-registered CPA firm.
Scope
Full verification platform, data ingestion, processing, storage, output, and sub-processors.
What you get
Full SOC 2 Type II report under signed NDA, available within 1 business day of request.
Monitoring period
12-month continuous assessment, not a point-in-time Type I audit.