Didit Is SOC 2 Type 1: What's In Scope and What It Means

When a US enterprise sends a vendor security questionnaire, one line decides how long the review takes: do you have a SOC 2 report? Didit does. Didit holds a SOC 2 Type 1 attestation, issued by ATOM as an independent service auditor under the AICPA's SOC for Service Organizations framework, covering the Security, Availability, and Confidentiality trust criteria as of 2026-04-09.

This guide explains what SOC 2 Type 1 attests to, exactly what is in scope for Didit, the difference between Type 1 and Type 2, and how to use the report in your own due diligence.

Key takeaways

• Didit holds a SOC 2 Type 1 attestation from ATOM, an independent service auditor under the AICPA SOC for Service Organizations framework.
• Three trust service criteria are in scope: Security, Availability, and Confidentiality.
• Type 1 attests to the design of controls as of a point in time — here, as of 2026-04-09. A Type 2 examination, which tests operating effectiveness over a period, is planned.
• The audited entity is Didit Identity, Inc., and the system in scope is the Didit Software Application.
• The full report is restricted-use under AICPA rules — Didit shares it with prospects and customers who have a legitimate need and an NDA in place. It is referenced here, not published.

What SOC 2 is

SOC 2 (System and Organization Controls 2) is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that handle customer data. An independent auditor examines a provider's controls against one or more Trust Service Criteria and issues a report describing what was examined and what the auditor concluded.

There are five trust service criteria, and a provider chooses which apply to its service:

• Security — protection of systems against unauthorized access (the one criterion every SOC 2 report includes).
• Availability — the system is available for operation and use as committed.
• Confidentiality — information designated confidential is protected.
• Processing Integrity — processing is complete, valid, accurate, and timely.
• Privacy — personal information is handled in line with the provider's privacy notice.

Didit's report covers Security, Availability, and Confidentiality — the three most relevant to an identity provider on the critical path of customer onboarding.

Type 1 vs Type 2 — the distinction that matters

The single most important thing to read correctly on any SOC 2 report is whether it is Type 1 or Type 2, because they attest to different things:

	Type 1	Type 2
What it attests	The design of controls	The operating effectiveness of controls
Time frame	A point in time ("as of" a date)	A period (typically 3–12 months)
Question answered	Are the right controls in place and suitably designed?	Did those controls actually operate effectively over time?

Didit's current attestation is Type 1, as of 2026-04-09 — it confirms that the controls across Security, Availability, and Confidentiality are in place and suitably designed. A Type 2 examination, which would test that those controls operated effectively over a period, is the next examination on the roadmap, planned before the 12-month logo-use window from the Type 1 report closes. Didit does not claim Type 2 today.

Why it matters

For a buyer, a SOC 2 report is shorthand for "an independent auditor has looked at this provider's controls so you don't have to from scratch." It compresses what would otherwise be a bespoke security audit into a standard artifact your team already knows how to read. For a US enterprise, fintech, or any organization with a mature vendor-risk process, the presence of a SOC 2 report often determines whether a provider clears procurement at all.

Type 1 specifically tells the buyer that the control environment is designed correctly at a point in time — a strong starting position, and the natural precursor to the operating-effectiveness assurance that Type 2 will add.

How Didit helps

A recognised attestation, ready for your questionnaire. Didit's SOC 2 Type 1 report — audited entity Didit Identity, Inc., system in scope the Didit Software Application, auditor ATOM (Information Security Privacy) — answers the SOC 2 line on a US security questionnaire directly. Because Security, Availability, and Confidentiality are all in scope, it covers the criteria most reviewers care about for an onboarding dependency.

Honest scope, no overstatement. Didit's attestation is Type 1. We say Type 1. The Type 2 examination is planned and dated on our renewal calendar (it must be issued before 2027-04-09, the close of the logo-use window). A buyer never has to discover a gap between what was claimed and what the report says.

Shared the right way. The full SOC 2 Type 1 report is restricted-use under AICPA rules. Didit shares it with prospects and customers who have a legitimate need and an NDA in place — the standard, expected handling for a SOC 2 report. The security and compliance hub is the starting point to request it.

Part of a stack, not a standalone. SOC 2 Type 1 sits alongside Didit's ISO/IEC 27001:2022 certification (cert nº ES144068, valid until 2027-06-03), iBeta Level 1 PAD biometric anti-spoofing (0% attack success across 360 attempts), and the Spanish government sandbox conclusion that Didit's remote verification exceeds in-person standards. Together they give a due-diligence team multiple, independent lines of assurance.

Deep dive: how to read Didit's SOC 2 report in due diligence

When your team reviews the report under NDA, these are the elements to confirm:

• Report type — Type 1 (design of controls). Note the planned Type 2.
• As-of date — 2026-04-09.
• Trust Service Criteria — Security, Availability, Confidentiality.
• Audited entity — Didit Identity, Inc.
• System in scope — the Didit Software Application.
• Auditor — ATOM, an independent service auditor under the AICPA SOC for Service Organizations framework.

Pair the SOC 2 report with the distributable ISO 27001 certificate for a complete information-security picture: ISO 27001 evidences a certified management system, SOC 2 evidences independently examined controls against the trust criteria.

Use cases

• US enterprise procurement where a SOC 2 report is a hard gate to clear vendor review.
• Fintech and payments buyers assessing the security and availability of an onboarding dependency.
• Security and GRC teams mapping a provider's controls to their own framework.
• Compliance officers assembling a vendor file that needs independent, recognised assurance.

Frequently asked questions

Is Didit SOC 2 Type 1 or Type 2?

Type 1. The report attests to the design of controls as of 2026-04-09, across Security, Availability, and Confidentiality. A Type 2 examination, which tests operating effectiveness over a period, is planned.

What trust service criteria does the report cover?

Security, Availability, and Confidentiality — the three most relevant to an identity provider on the onboarding path.

Who audited Didit?

ATOM, an independent service auditor under the AICPA SOC for Service Organizations framework.

Can I get a copy of the report?

The full SOC 2 Type 1 report is restricted-use under AICPA rules. Didit shares it with prospects and customers who have a legitimate need and an NDA in place. Start at the security and compliance hub to request it.

When will the SOC 2 Type 2 report be available?

A Type 2 examination is planned, to be issued before the 12-month logo-use window from the Type 1 report closes (by 2027-04-09).

Ready to get started?

See Didit's full attestation stack on the security and compliance hub, explore the verification service the report covers on the ID Verification product page, and review transparent per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, on a SOC 2 Type 1-attested platform.