Bemi achieves SOC 2 compliance

At Bemi, security and reliability have always been at the core of what we do. Long before we even considered a SOC 2 audit, we built our systems with security, encryption protocols, and processes that went well beyond the requirements. Here are some of the security features Bemi already had in place:

• AES-256 storage encryption at rest
• TLS in-transit encryption to protect database traffic
• HTTPS in-transit encryption to encrypt all web traffic
• Customers’ credentials protected with military-grade encryption algorithms
• Restricted IP access rules and password credentials for destination databases
• Static Bemi IPs for allowlisting a connection to source databases
• Isolated internal network SSH tunnelling with certification encryption
• Data and container level customer isolation
• Monitoring and alerting at all stack layers
• Continuous software vulnerability scanning

As we grew, we realized that transparency is just as important as having strong security in place. And for many of our customers, especially those with stringent legal and security requirements, an external audit is a crucial part of building that trust.

Why We Pursued SOC 2 Now

SOC 2 or Service Organization Controls 2 is a framework governed by the American Institute of Certified Public Accountants (AICPA). With a SOC 2 audit, an independent service auditor will review an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC 2 report communicates a company’s commitment to data security and protection of customer information.

We decided to pursue SOC 2 compliance because we wanted to make our commitment to security as clear as possible. We’ve always been open about our processes—just a few months ago, we open-sourced our codebase to give everyone a closer look at what we’ve built. In the same spirit of transparency, we recognized that an external SOC 2 audit would provide the additional assurance that larger companies’ legal and security teams look for. It’s another step in our ongoing investment in trust.

Our Journey to SOC 2 Certification

We partnered with Vanta, the leader in Trust Management, to automate the collection of our audit evidence. Vanta provides us with the strongest security foundation to protect our customer data.

Our audit firm, Advantage Partners, then stepped in to assess our controls. For the audit, Advantage Partners evaluated the controls we have in place and opined on their state. Shortly after our audit window ended, Advantage Partners drafted and issued our report.

While SOC 2 can be a big undertaking, our compliance partners greatly streamlined the process. The readiness period can take the most time but we were able to make compliance a priority to get audit ready in a matter of weeks versus months.

We also found it important to review the audit timeline with Advantage Partners, set an ideal audit date, and then work backwards to be ready in time. Now that controls are implemented, subsequent SOC 2 audits will be even more seamless.

Lessons We Learned

Focus on Improving Security Posture, Not Checking Boxes

Compliance isn’t a one-size-fits-all approach. It’s about continually improving security, not just meeting the minimum requirements. At Bemi, we’ve always seen security as an ongoing project, something that’s woven into the fabric of our company.

Start the Process Early

Implementing security measures is easier when you start early. We’ve always prioritized building secure infrastructure, which made our SOC 2 journey smoother. By embedding security in our processes from day one, we were able to meet SOC 2 standards without needing to overhaul our systems.

Security and Compliance Help Scale Your Business

SOC 2 compliance isn’t just about security—it’s also a business enabler. Many of our larger customers require vendor security reviews as part of their procurement process. With our SOC 2 report, we can move through these reviews more quickly, allowing us to scale faster and with greater trust.

The Right Partners Are Key

Choosing the right tools and audit partners is crucial. Vanta and Advantage Partners helped us navigate the SOC 2 process efficiently. Their expertise ensured that our journey to compliance was seamless, saving us time and effort.

Looking Ahead

We’re proud of what we’ve achieved, but this is just one step in our ongoing commitment to security. As we continue to grow, we’ll keep investing in the tools and processes that protect our customers and build trust. Achieving SOC 2 compliance is an important milestone, but it's part of a broader mission. We were already HIPAA compliant, ensuring that we meet strict standards for healthcare data protection. Moving forward, we'll continue to prioritize security and transparency, making Bemi a company you can rely on—both now and in the future.