SOC 2 Renewed by KPMG

Dfns has successfully renewed its SOC 2 Type II certification for 2024 after a rigorous nine-month audit by KPMG, one of the Big Four firms. The audit, covering January 1 to September 30, evaluated the security and availability of our Wallets-as-a-Service (WaaS) system. The report confirms the strength and reliability of our security controls, reinforcing our commitment to protecting our clients' digital assets with the highest standards of security, availability, processing integrity, confidentiality, and privacy.

What makes this achievement stand out is that KPMG's report found "no exceptions noted" throughout the entire audit. This is a big step up from Dfns' 2023 SOC 2 Type II audit, where 3% of our controls had exceptions. This year's result highlights Dfns' commitment to constant improvement and the highest security standards.

Key Highlights from the 2024 SOC 2 Type II Report

• Strong security controls: The audit reviewed our security and availability measures, covering risk management, encryption, network security, access controls, and operational resilience.
• Zero issues found: No control deficiencies were reported—every security measure was designed and operated effectively.
• Independent validation: KPMG, a top global auditing firm part of the “Big Four,” confirmed our systems meet and exceed security standards.
• Compliance and scalability: Dfns’ infrastructure is built for continuous compliance and seamless performance at scale.

Breaking “empty shell” criticism and checkbox mentality

SOC 2 (System and Organization Controls 2) is a voluntary compliance standard for service organizations, established by the American Institute of CPAs (AICPA). Recognized as one of the most rigorous compliance frameworks for technology companies, it assesses both the design and operational effectiveness of security controls over an extended period. The framework is built around five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. 

SOC 2 Type II, in particular, involves a thorough, independent audit of a company’s systems, processes, and controls over a period of 6 to 12 months, ensuring continuous adherence to these criteria. As financial institutions and fintech platforms demand robust, battle-tested security, this certification provides authoritative validation that Dfns upholds the highest standards of data protection, operational resilience, and compliance maturity.

However, SOC 2 is sometimes dismissed as a mere formality, even among security professionals, considered as a compliance exercise without true security rigor. Critics argue that many SOC 2 reports are little more than “empty shells,” offering the appearance of security rather than substantive protection. This skepticism stems from several factors:

1. SOC 2 is not a one-size-fits-all standard. A company can include as few as 100 controls in its report or expand to 1,000, yet both may claim SOC 2 Type II compliance. The difference in their actual security posture, however, could be vast.
2. The credibility of a SOC 2 report depends on the auditor. While an assessment from a lesser-known firm may satisfy the baseline requirements, it does not carry the same weight as an audit conducted by a Big Four firm like KPMG, which adheres to stricter methodologies and higher standards.
3. For some, SOC 2 is a box-ticking exercise. Organizations that approach it as a regulatory hurdle rather than a fundamental security practice may meet the minimum requirements without embedding security into their culture or operations.

We acknowledge the criticisms and take them seriously. Our approach to SOC 2 is not about superficial compliance but about ensuring our report is a true reflection of the facts and evidence we put forward to show our commitment to security. At its core, SOC 2 is designed to provide transparency and assurance, demonstrating how an organization safeguards customer data. It should be more than just a credential; it is a foundational framework for establishing trust in an increasingly complex digital environment. With that said, compliance alone does not guarantee security. The true value of a SOC 2 report lies in its details:

• Scope and depth of controls: A SOC 2 report can encompass a broad spectrum of security controls, from fundamental access management to advanced encryption techniques. The breadth and depth of the controls included in the audit define the rigor of the security assessment. At Dfns, we have deliberately adopted a significantly more extensive and stringent control set than the industry norm, underscoring our commitment to exceeding security expectations. 
  
  • Ask yourself: How many controls are evaluated? Are they comprehensive and meaningful?
• Auditor reputation: The credibility of a SOC 2 report is heavily influenced by the reputation and rigor of the auditing firm. An audit conducted by a Big Four firm like KPMG—known for its uncompromising standards and global recognition—holds far greater weight than one performed by a lesser-known entity. 
  
  • Ask yourself: Was the auditor a recognized authority with stringent methodologies?
• Transparency and evidence: A well-executed SOC 2 Type II report provides extensive documentation and concrete evidence supporting the auditor’s findings. This level of transparency enables clients to thoroughly assess an organization’s security posture and make informed decisions. 
  
  • Ask yourself: Are the results verifiable and backed by detailed evidence?
• Adequacy of security measures: Security controls should not only meet compliance requirements but also align with industry best practices and adapt to evolving threats. A strong SOC 2 report demonstrates resilience beyond the audit period, ensuring continuous protection against emerging risks. 
  
  • Ask yourself: Do the controls reflect best practices and proactively address evolving threats?

Why is Dfns’ SOC 2 report any different?

While the criticisms mentioned above are often valid, our SOC 2 report offers a different perspective. Our objective is not to claim superiority over others but to maintain transparency about the controls we have implemented and the evidence supporting their effectiveness—proving, rather than assuming, their reliability. Rather than viewing SOC 2 as a compliance checkbox, we approach it as a dynamic framework for establishing meaningful, verifiable security protections. In 2024 alone, Dfns has implemented over 360 security controls, covering key areas such as:

• Encryption & key management: AES-256 encryption secures data at rest, while TLS 1.3 protects data in use and in transit. Multi-Party Computation (MPC) with Distributed Key Generation (DKG) and Zero-Knowledge Proofs (ZKP) ensures cryptographic integrity, preventing key reconstitution.
• Granular access control: Enforced role-based access follows the Principle of Least Privilege (PoLP), with strict separation of environments (production, pre-production, staging, test). Just-in-Time (JIT) access controls and Multi-Factor Authentication (MFA) enhance security and minimize exposure.
• Continuous monitoring: Advanced security tools, including Datadog, AWS CloudTrail, Socket.dev, and Wazuh, provide real-time threat detection across infrastructure and open-source dependencies, ensuring proactive anomaly detection.
• Incident response preparedness: Regular simulations—like phishing, DDoS, and insider threat drills—ensure operational resilience. A structured incident response plan with severity-based categorization enables swift and effective mitigation, tested at least annually for continuous refinement.
• Risk & vendor management: Ongoing security diligence includes annual penetration testing, risk assessments, vulnerability scanning, and threat modeling. Third-party oversight extends to application monitoring, AWS SOC 2 report reviews, business continuity planning, and disaster recovery protocols.

• Robust control environment: Security is embedded in Dfns' culture through a clear Code of Conduct, meticulous logging, stringent access controls, and unwavering ethical standards.
• Resilient data recovery: Redundant storage and snapshot technology ensure comprehensive backup and recovery, minimizing the risk and impact of data loss.

Beyond rigorous controls and KPMG’s audit, we provide additional guarantees of security diligence:

• Public transparency: Tools like StatusPage keep clients informed on system health and uptime.
• Training programs: Mandatory security awareness training upon hire and annually thereafter ensures that all employees remain knowledgeable about security risks.
• Data protection: Implementation of layered backups and geographically separated data storage (300 miles minimum) ensures data resiliency and disaster readiness.
• Governance oversight: Regular board reviews of our cybersecurity program, engaging external experts as needed.
• Whistleblower policy: Clearly outlined anonymous communication channels demonstrate a commitment to ethical practices and transparency.

Why this matters for our clients

Whether securing insurance, navigating regulatory requirements, ensuring transparency, or fortifying your security posture, our audit results deliver tangible value. Cyber insurers, for instance, evaluate risk based on the strength of a company’s security controls. A zero-exception SOC 2 Type II audit from KPMG signals a lower risk profile, enabling clients to negotiate better coverage, reduced premiums, and faster underwriting. By validating our security posture through a Big Four audit, we eliminate uncertainty for insurers—directly benefiting our clients.

Financial institutions and fintech platforms operate within stringent regulatory frameworks across multiple jurisdictions. Integrating with a SOC 2-certified infrastructure like Dfns allows clients to streamline compliance with GDPR, DORA, ISO 27001, ISO 22380, the GENIUS Act, and other financial regulations. Rather than spending months proving security maturity to regulators, clients can rely on our independently verified controls as a cornerstone of their compliance strategy.

A SOC 2 Type II report provides a clear, in-depth view of how security is implemented, tested, and maintained. With over 360 security controls covering encryption, access management, monitoring, and risk assessments, clients gain full transparency into the reliability of the platform they depend on. Unlike generic security assurances, our zero-exception audit proves that every measure we implement has been rigorously tested under real-world conditions.

For security and compliance teams, managing third-party risk is an ongoing challenge. Dfns' SOC 2 certification significantly eases this burden, offering a fully auditable, independently validated security framework. Instead of conducting extensive due diligence from scratch, teams can leverage our audit as a trusted baseline—saving time and reducing risk. With continuous monitoring, real-time threat detection, and an infrastructure built for resilience at scale, security leaders can shift their focus from vendor security gaps to strategic priorities.

To learn more about our security practices and to access our SOC 2 Type II report, please contact us: security@dfns.co.