Trust Portal

r2c is proud to announce that we've completed our first SOC 2 Type 2 audit. Achieving SOC 2 Type II compliance is one of the primary ways we demonstrate our company's privacy and security practices. Maintaining SOC 2 compliance underpins our continued commitment to protecting our customer's data.

What is SOC 2 Type 2?

The Service Organization Control (SOC) 2 Type 2 audit is the best-known information security certification in the industry and a common request from our customers. A SOC 2 Type 2 certification includes third-party security and control testing against standards set by the American Institute of CPAs (AICPA). 'Type 2' audits signify that we both had appropriate procedures and controls in place; and that they were followed and achieved their goals across the audit period.

What does this mean for our customers?

SOC 2 compliance is independent confirmation that we are following the security, privacy, and reliability practices you'd expected of a modern software company. Moreover, it's a standard our enterprise customers hold themselves to and typically expect of their vendors in return.

However, SOC 2 is only one of a basket of practices and processes we follow to ensure our products and services are secure. We continue to build upon proactive and detective security practices, including a program of secure software design and active security assessments.

Semgrep SAST and Semgrep Supply Chain are both a core part of our secure development practices – ask to see a demo of how we use our products across our engineering efforts.

What’s next?

Achieving SOC 2 Type 2 compliance is not a one-time event but a baseline of security and privacy practices that must be maintained and audited annually. We look forward to using SOC 2 to demonstrate and build upon our commitment to privacy and security across our current and future products and features.

On the evening of January 4, 2023, CircleCI notified customers of a breach and recommended teams rotate "all secrets stored in CircleCI" and review systems for unauthorized access between December 21, 2022, and January 4, 2023.

r2c uses CircleCI for a limited amount of continuous integration workflows that do not involve production infrastructure or user data. Our security and engineering teams have reviewed these workflows and either disabled or rotated all credentials in use.

No unauthorized access to r2c systems or services has been identified. CircleCI’s investigations continue. r2c’s security team continues to monitor updates from the vendor and review access from the affected period.

Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH-risk vulnerabilities in the OpenSSL 3.0.x cryptographic library.

R2C is not vulnerable to these issues as our services and products do not rely on the vulnerable version of OpenSSL. Nor do we use the functionality causing these vulnerabilities.

If you want supply chain risk analysis that goes beyond simple version tracking, check out our recently launched Semgrep Supply Chain product. Semgrep Supply Chain allows you to interrogate your use of dependencies and whether you are exposed to specific vulnerabilities or not.

For more information on these vulnerabilities, see the great write-up by Datadog Security Labs.