Appsmith has been certified SOC 2 Type II!

Appsmith is excited to announce that we've completed our System and Organization Controls (SOC) 2 Type II audit. This audit is yet another demonstration of our importance on security at Appsmith. 

Being an open-source project that is geared towards self-hosting, security has been at the heart of everything we’ve done. From making it super easy to self-host Appsmith, to not storing any data returned from user’s API/DB queries, to encryption, SSO, access controls, and more, we’ve always taken a security-first approach to building Appsmith. 

In addition, each code commit is analyzed by multiple static code analysis tools; we use Snyk, Deepsource, and Dependabot. We also do regular third-party vulnerability & penetration tests. 

You can read more about Appsmith’s security initiatives here

Arpit Mohan, our Co-founder, and Chief Technology Officer leads our security initiatives. Arpit is a technology veteran and has 13 years of experience building enterprise-grade software as an engineering leader across industries like cloud communications (Exotel), payments (Ezetap, now part of Razorpay), and consumer (Cultgear), in addition to founding 3 previous startups. 

What is a SOC 2 Type II audit? 

The SOC 2 audit is a highly recognized audit to certify the information compliance of a company. The criteria for the audit are set forth by the American Institute of Certified Public Accountants (AICPA). Third-party auditors can use these criteria to validate information security at companies like Appsmith. This independent attestation of security controls is crucial for Appsmith’s users, particularly those in highly-regulated industries. 

While the SOC 2 Type I audit looks to check whether a company has put in place controls at a given point in time, SOC 2 Type II is more rigorous and observes how effective these controls are over an extended period of time (typically 6-12 months).  

For our Type II audit, we worked with Certpro, a third-party auditor who thoroughly reviewed our internal security controls. These include our policies, procedures, backup and disaster recovery, infrastructure regarding change management, logical access, security incident response, and data security. We used Sprinto to ensure that we're following industry-standard security practices.

What does SOC 2 Type II Mean for our users?

Simply put, the SOC 2 certificate further improves Appsmith Cloud — and demonstrates our long-held commitment to security as an integral part of Appsmith. And since Appsmith Cloud runs the same code as the Community Edition and Business Edition self-hosted versions, our self-hosted users can be assured that the Docker containers being run in their environments are also built using the same security practices.