SOC 2
SOC 2 is an AICPA audit framework that evaluates a SaaS provider’s operational controls across five trust principles: security, availability, processing integrity, confidentiality, and privacy.
Ministrium’s current status
| Audit | Status | Timeline |
|---|---|---|
| SOC 2 Type I | ✅ Approved (2025-Q4) | Auditor: BDO USA |
| SOC 2 Type II | 🔄 In progress (window 2025-Q4 to 2026-Q3) | Report expected 2026-Q4 |
| ISO 27001 | 📋 Planned | 2027 |
> Type I = controls exist at a point in time. > Type II = controls operated effectively over 6-12 months.
Trust principles applied
Security
- MFA required for Ministrium staff with prod access.
- Change control with peer review (mandatory PR).
- Annual third-party pen test (last: 2025-09).
- Public bug bounty with HackerOne (in preparation).
- SAST + dependency scanning on every PR.
- 24/7 intrusion detection.
Availability
- 99.9% SLA (max ~ 8.7 h downtime/year).
- Multi-AZ by default; multi-region optional.
- Incident runbook, rotating on-call.
- Monthly backup restore (test).
- Semi-annual DR exercise.
Processing integrity
- Automated tests (CI) on every PR.
- Staging smoke tests and canary in prod.
- Financial transaction reconciliation (Stripe vs Ministrium ledger).
- Audit of sensitive computations (tax receipts, payouts).
Confidentiality
- At-rest + in-transit encryption (Encryption).
- Mandatory NDA for staff and contractors.
- Least-privilege access.
- Tenant isolation enforced at multiple layers.
Privacy
- DPA with every customer.
- Processes to handle DSAR (data subject access request) on time.
- Sub-processors with their own DPA and BAA where applicable.
- Privacy by design in every feature (GDPR/LGPD).
How to get the report
The SOC 2 report is confidential and delivered under NDA:
- Request at
compliance@ministrium.comfrom a corporate email. - Sign the NDA (DocuSign, < 5 min).
- Receive the PDF + control-mapping table (CIS, NIST CSF).
Business+ plan churches have automatic access without annual re-signing.
Included sub-services
The audit covers systems Ministrium controls. External sub-services (AWS, Stripe) are not in scope because they have their own SOC 2; we use their reports as supplementary evidence.
| Sub-service | Their SOC 2 |
|---|---|
| AWS | SOC 2 Type II current |
| Stripe | SOC 2 Type II current |
| SendGrid | SOC 2 Type II current |
| Twilio | SOC 2 Type II current |
| Datadog | SOC 2 Type II current |
Our report uses the carve-out method for sub-services. Scope is limited to Ministrium directly, and sub-service SOC 2s are referenced. It’s the standard pattern, accepted by most customer auditors.
Known exceptions
In the Type I report there were two minor observations:
- Security training: 2 contractors didn’t complete the module on time. Remediation: LMS integration for auto-enforcement. Closed Q4 2025.
- Asset inventory: discrepancy between CMDB and IT tool. Remediation: daily auto-sync. Closed Q4 2025.
No critical or recurring findings.
For your own audit
If your church is under audit (e.g. large denomination with external auditor), Ministrium can:
- Fill standard vendor security questionnaires (CAIQ, SIG, etc.).
- Participate in a technical call with your auditor.
- Provide additional evidence (your tenant’s specific logs, signed DPA copy).
To start: compliance@ministrium.com. SLA: response in 5 business days.