Skip to main content

Goodworld SOC 2 Type 1 Certification Overview

Understanding Goodworld’s SOC 2 Type 1 Attestation and what our independent audit says about the strength of our data security and compliance controls

Richie Kendall avatar
Written by Richie Kendall
Updated this week

What is SOC 2 Type 1?

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how service organizations manage and protect customer data.

A SOC 2 Type 1 report provides independent verification that an organization's security controls are suitably designed to meet the Trust Services Criteria at a specific point in time.

Goodworld's SOC 2 Type 1 Certification

Goodworld has successfully completed a SOC 2 Type 1 audit conducted by an independent, AICPA-accredited Certified Public Accountant (CPA). This certification demonstrates that our security controls have been independently evaluated and verified to meet rigorous industry standards.

Our SOC 2 Type 1 attestation covers the following Trust Services Criteria:

  • Security: Protection of system resources against unauthorized access

  • Availability: System availability for operation and use as committed or agreed

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized

  • Confidentiality: Information designated as confidential is protected as committed or agreed

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and applicable privacy standards

What Does This Mean for Your Organization?

Independent Verification
A qualified third-party auditor has examined our systems and confirmed that our security controls are properly designed and implemented.

Industry Standards
Our security practices meet the strict requirements established by the AICPA, which are recognized across the technology and financial services industries.

Risk Mitigation
We have documented policies, procedures, and technical controls in place to protect your data from unauthorized access, loss, or misuse.

Compliance Assurance
Our SOC 2 Type 1 certification provides evidence that can help your organization meet its own compliance requirements when working with third-party service providers.

Ongoing Commitment
While Type 1 certification represents a point-in-time assessment, we maintain these controls on an ongoing basis and undergo regular audits to ensure continued compliance.

How to Request Our SOC 2 Report

Goodworld's SOC 2 Type 1 Letter of Attestation is below and the full report can be made available to current and prospective clients upon request.

To request access to our SOC 2 Type 1 report:

  1. Contact your Goodworld account manager, or

  2. Email hello@goodworldnow.com with "SOC 2 Report Request" in the subject line

  3. Include your organization name, contact information, and intended use

Once requested, we will provide secure access to the complete SOC 2 Type 1 report.

What's Covered in Our SOC 2 Audit

Our SOC 2 Type 1 audit scope includes:

  • Access Controls: User authentication, authorization, and data access management

  • Network Security: Firewalls, encryption, and secure communication protocols

  • Data Protection: Encryption for data at rest and in transit; tokenization via Stripe

  • Physical Security: AWS data center security measures for MongoDB hosting

  • Vendor Management: Evaluation and oversight of third-party service providers

  • Incident Response: Detection, response, and management of security incidents

  • Change Management: Controlled processes for system and application updates

  • Risk Management: Identification and mitigation of security risks

Complementary Security Measures

Beyond our SOC 2 Type 1 certification, Goodworld maintains additional compliance and security standards:

  • PCI DSS Compliance: Annual SAQ-A and SAQ-D validation with Stripe (PCI Level 1)

  • CCPA Compliance: Adherence to California Consumer Privacy Act requirements

  • DPA Compliance: Data Protection Act standards

  • GDPR Compliance: Compliance for EU resident data

  • External Audits: Annual Third-Party Risk Management audits and Penetration Testing by Mastercard

  • Banking-Grade Security: System incubated within the banking sector through partnerships with Barclays Bank

Frequently Asked Questions

Q: What’s the difference between SOC 2 Type 1 and Type 2?
A: Type 1 evaluates the design of controls at a specific point in time, while Type 2 (which we are working toward) assesses their effectiveness over a period of time (6–12 months).

Q: How often is the SOC 2 audit performed?
A: Annually, to maintain certification and ensure controls remain effective.

Q: Does this guarantee my data is secure?
A: No certification can guarantee absolute security, but SOC 2 Type 1 provides independent verification that our controls are properly designed and meet industry standards.

Q: Who performed the audit?
A: The audit was conducted by an independent, AICPA-accredited CPA firm specializing in SOC audits.

Q: Can I share the SOC 2 report with my auditors?
A: Yes, under NDA, it can be shared with authorized internal auditors or compliance teams.

Q: Does SOC 2 cover financial data?
A: SOC 2 focuses on data protection controls. Payment processing is handled by Stripe, a PCI Level 1 Service Provider. All financial data is tokenized and never directly handled by Goodworld.

Additional Resources

For more details on Goodworld’s security practices:

Did this answer your question?