Station70 Achieves SOC 2 Type 2 Compliance: What Auditors Examined and What It Means for Institutional Due Diligence

Station70 provides secure disaster recovery infrastructure for institutions managing digital assets, protecting private keys when primary systems fail. Built with zero-knowledge architecture from day one, we've operated on a foundational belief: the strongest protection is one where we can't access your keys even if we wanted to. Our SOC 2 Type 2 compliance with zero material findings underscores that commitment, serving as a cornerstone of our approach to transparency, operational resilience, and client protection.

Addressing the Core Question in Vendor Evaluation

When security teams evaluate Station70, the question is precise: can this vendor be trusted with our  keys? Station70 operates within the most sensitive layer of a client's infrastructure. An auditor-verified examination of the specific controls governing recovery procedures does.

The Difference Between Type 1 and Type 2

Type 1 evaluates whether controls were designed correctly at a single point in time. Type 2 evaluates whether those controls operated effectively and consistently over an extended period, typically six to twelve months.

Type 1 provides a snapshot. Type 2 provides evidence of sustained operational discipline.

For disaster recovery infrastructure, this distinction is essential. Organizations require assurance that controls function reliably under continuous operation, not merely that they appeared adequate on a single audit date.

The Significance of Zero Material Findings

Many organizations omit this detail from SOC 2 announcements because they cannot claim it. Zero material findings indicate that controls were verified to exist as documented, operated correctly throughout the examination period, and no exceptions, gaps, or issues requiring remediation were identified.

This represents a meaningful distinction between maintaining security policies and demonstrating that those policies functioned without failure over an extended operational period.

Implications for Vendor Due Diligence

For organizations evaluating Station70 as a third-party vendor, SOC 2 Type 2 compliance addresses several common requirements. Station70 can be documented as SOC 2 Type 2 compliant in standard vendor assessment frameworks. The attestation report is available upon request and will be delivered the same day. For organizations subject to the Digital Operational Resilience Act, Station70's attestation report provides third-party documentation of testable disaster recovery capabilities at the vendor level.

Audit Scope: A Critical Consideration

A vendor may hold SOC 2 compliance for general platform operations while the specific service touching sensitive client data falls outside the examination scope. Station70's SOC 2 Type 2 compliance covers the core recovery infrastructure: Nitro enclave operations, quorum enforcement mechanisms, and attestation reporting. These are the controls directly relevant to clients entrusting Station70 with disaster recovery responsibilities.

When compliance teams inquire whether the SOC 2 compliance addresses the controls relevant to their use case, the answer is affirmative.

‍