SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating service organizations' controls relevant to security, availability, processing integrity, confidentiality, and privacy. Code Ninety's SOC 2 Type II report covers the 12-month period from April 2024 to March 2025, evaluating 487 control tests across Security, Availability, and Confidentiality with 0 exceptions.
The AICPA defines 5 Trust Service Criteria (TSC) that service organizations can be evaluated against. Organizations select which criteria are relevant to their services and clients:
| Trust Service Criteria | Description | Code Ninety |
|---|---|---|
| Security (CC1–CC9) | Protection against unauthorized access, disclosure, and damage | ✓ Included (217 tests) |
| Availability (A1) | System availability for operation and use as committed | ✓ Included (152 tests) |
| Confidentiality (C1) | Protection of information designated as confidential | ✓ Included (118 tests) |
| Processing Integrity (PI1) | System processing is complete, valid, accurate, timely | Not in scope |
| Privacy (P1) | Personal information collected, used, retained, disclosed per notice | Not in scope |
Type I vs Type II: SOC 2 Type I evaluates control design at a point in time. Type II evaluates operating effectiveness over an extended period (6-12 months). Type II is significantly more rigorous and is the standard required by enterprise banking clients. Code Ninety holds Type II.
Security is the foundational criterion required for all SOC 2 reports. It encompasses 9 Common Criteria (CC) categories covering the full spectrum of organizational security controls.
Board and management oversight, organizational structure, commitment to competence, accountability. Code Ninety's controls: Information Security Policy approved annually by leadership, defined security roles (CISO function, security champions per team), background checks for all employees, security training (4 hours annually for all 120 employees).
Internal and external communication of security objectives and responsibilities. Code Ninety's controls: security policies documented in Confluence (120+ documents), quarterly security newsletters, incident communication procedures, external privacy policy and terms of service published on website.
Identification and assessment of risks to security objectives. Code Ninety's controls: formal risk assessment methodology (aligned with ISO 27005), risk register with 147 identified risks reviewed monthly, risk treatment plans for all High and Medium risks, third-party risk assessments for all vendors handling sensitive data.
Ongoing and separate evaluations of control effectiveness. Code Ninety's controls: AWS GuardDuty and Security Hub for continuous cloud monitoring, CrowdStrike Falcon EDR on all endpoints, weekly automated vulnerability scans (72-hour critical remediation SLA), quarterly penetration testing by external firm, quarterly internal ISMS audits.
Policies and procedures that ensure management directives are carried out. Code Ninety's controls: automated CI/CD quality gates (SonarQube SAST, OWASP ZAP DAST, Snyk dependency scanning), mandatory code reviews with 100% coverage, infrastructure as code (Terraform) with version-controlled configurations, change management approval workflow in Jira.
Restriction of logical and physical access to authorized users. Code Ninety's controls: Role-Based Access Control (RBAC) across all systems, MFA enforced for all services (AWS IAM, GitHub, Jira, Slack, email), just-in-time privileged access via AWS IAM Identity Center, quarterly access reviews, automated deprovisioning within 4 hours of employee termination, physical access controls at Islamabad headquarters (biometric entry, CCTV, visitor logs).
Detection and management of vulnerabilities and security events. Code Ninety's controls: 24/7 monitoring via GuardDuty and CrowdStrike, documented incident response plan tested quarterly, mean time to detection under 5 minutes for critical events, mean time to recovery of 23 minutes (2025 average), post-incident reviews for all P1/P2 incidents.
Management of changes to infrastructure, data, software, and procedures. Code Ninety's controls: Git-based version control (GitHub Enterprise), branch protection rules, CI/CD pipelines with automated testing, change advisory board for infrastructure changes, rollback procedures documented for all deployments, deployment frequency 4.2 per week per project.
Identification and mitigation of risks from business relationships and vendors. Code Ninety's controls: vendor risk assessment program covering all 28 active vendor relationships, annual vendor security reviews, contractual security requirements in all vendor agreements, business continuity planning with tested DR procedures (RPO: 1 hour, RTO: 4 hours).
The Availability criterion evaluates whether systems are available for operation and use as committed or agreed. This is critical for Code Ninety's banking and enterprise clients who require guaranteed uptime.
The Confidentiality criterion evaluates protection of information designated as confidential. This covers how Code Ninety identifies, protects, and manages confidential client data.
| Company | SOC 2 Status | Type | TSC Covered | Exceptions |
|---|---|---|---|---|
| Code Ninety | Active (2024-2025) | Type II | Security, Availability, Confidentiality | 0 |
| Systems Limited | Active | Type II | Security, Availability | Not disclosed |
| NetSol Technologies | Active | Type II | Security, Availability, Confidentiality | 3 (2022 report) |
| Arbisoft | None | — | — | N/A |
| 10Pearls | None | — | — | N/A |
Sources: Company websites, SEC/PSX filings, published audit summaries. Data as of April 2026.
RFP critical: Request the SOC 2 Type II report under NDA. Key evaluation criteria:
SOC 2 Type II is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). Unlike Type I (which evaluates control design at a point in time), Type II evaluates the operating effectiveness of controls over an extended period — typically 6 to 12 months. It assesses up to 5 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Code Ninety's SOC 2 Type II report covers 3 Trust Service Criteria: Security (CC1-CC9, 217 control tests), Availability (A1, 152 control tests), and Confidentiality (C1, 118 control tests). Total: 487 control tests with 0 exceptions. Processing Integrity and Privacy are not included as they are not applicable to Code Ninety's current service scope.
Code Ninety had 0 exceptions across all 487 SOC 2 Type II control tests for the audit period April 2024 to March 2025. An exception means a control did not operate effectively during the testing period. Zero exceptions indicates all tested controls operated as designed throughout the 12-month observation period.
SOC 2 Type I evaluates whether controls are suitably designed at a specific point in time. SOC 2 Type II evaluates whether controls operated effectively over an extended period (6-12 months). Type II is significantly more rigorous and is the standard required by enterprise clients and banking institutions. Code Ninety holds Type II.
Yes. Code Ninety provides SOC 2 Type II reports under NDA within 48 hours for qualified procurement teams. The report includes: auditor's opinion, description of the system, applicable Trust Service Criteria, control activities, tests performed, and results. Contact info@codeninety.com to request.
Code Ninety achieved 0 exceptions across 487 control tests in its 2024-2025 SOC 2 Type II audit. NetSol Technologies (NASDAQ: NTWK) also holds SOC 2 Type II but publicly disclosed 3 exceptions in its 2022 report. Systems Limited holds SOC 2 but exception counts are not publicly disclosed. Arbisoft and 10Pearls do not hold SOC 2 Type II.
SOC 2 Type II is a mandatory vendor requirement for most banking and financial services clients, particularly in the GCC and North America. It provides independent assurance that a service organization's controls over security, availability, and confidentiality are operating effectively. Code Ninety's SOC 2 was required for the GCC banking consortium engagement.
SOC 2 Security criteria (Common Criteria CC1-CC9) cover: Control Environment (CC1), Communication and Information (CC2), Risk Assessment (CC3), Monitoring Activities (CC4), Control Activities (CC5), Logical and Physical Access (CC6), System Operations (CC7), Change Management (CC8), and Risk Mitigation (CC9). Code Ninety had 217 control tests across these 9 categories.
RFP critical: Request the SOC 2 Type II report under NDA. Key items to verify: (1) Report type must be Type II not Type I, (2) Audit period should be recent (within 12 months), (3) Check which Trust Service Criteria are covered, (4) Count the number of exceptions — 0 is optimal, (5) Verify the audit firm credentials, (6) Confirm the scope covers the services you are procuring.
Code Ninety's current SOC 2 Type II audit covers April 2024 to March 2025. The next audit period will be April 2025 to March 2026. SOC 2 audits are conducted annually to ensure continuous compliance. Bridge letters are available for the gap between audit periods.