Back
news

We're Now SOC 2 Certified (And Yes, It Was As Fun As It Sounds)

Directus Cloud is now SOC 2 Type II certified. Learn what that actually means for you.
We're Now SOC 2 Certified (And Yes, It Was As Fun As It Sounds)

When you're handling enterprise data, the phrase "trust us, we're good at this" doesn't cut it anymore.

So we went ahead and got our SOC 2 Type II certification for Directus Cloud!

It is official as of July 11, 2025 and covers security controls, availability, processing integrity, confidentiality, and privacy.

What SOC 2 Type II Actually Means

SOC 2 (System and Organization Controls) isn't just a fancy certificate. It's an independent audit of our infrastructure, policies, and procedures by third-party auditors. We partnered with A-LIGN.

SOC 2 is developed by the AICPA and evaluates how cloud service providers handle security, availability, processing integrity, confidentiality, and privacy.

Basically, it's a framework to make sure companies aren't playing fast and loose with your data.

Type II is the more rigorous version. Instead of just checking if you have the right policies on paper, independent auditors monitor your controls over time to see if you actually follow them.

For us, this means:

  • Giving our auditors access to check we are as good with handling data as we think we are

For you, this means:

  • Your data handling meets enterprise compliance standards
  • We have proper incident response procedures
  • Our access controls are documented and audited
  • Your security team can check this box on their requirements list

Why We Did This

The process involved lots of documentation, policy reviews, and explaining our security practices. But it forced us to formalize practices we were already following and identify areas where we could improve.

And yes, SOC 2 compliance will be helpful for conversations with prospective customers. But our core intention of achieving SOC 2 compliance is because it was the right thing to do and stand by. We have grown tremendously the last few years, and a verbal commitment only goes so far.

Now, we’re walking the walk, not just talking the talk.

What's Next

Compliance isn't something you achieve once and forget about. As we continue building Directus, we're committed to staying ahead of security threats and industry best practices.

We’ve always said that we take data security seriously, and now we have a fancy logo and documentation to prove it. Directus is still the same developer-friendly platform you know and love (and that will never be compromised), and now we can prove that in return for your trust, we always have and always will take compliance seriously.

If you're dealing with compliance requirements or security reviews, this should make your life easier. And if you're not, at least you know your data is in good hands.

Questions about our security practices or need a copy of our SOC 2 report? Shoot us a message at dpo@directus.io. We're happy to talk about it.