Habits has achieved SOC 2 Type II compliance, completing an independent audit of our security controls, system availability, and data confidentiality practices. This certification is administered by the American Institute of Certified Public Accountants (AICPA) and represents one of the most rigorous security standards available for technology companies handling sensitive data.
For a platform that sits at the intersection of financial services and personal data, earning SOC 2 Type II was not optional - it was essential. Advisors share sensitive business information on the platform. Users share detailed financial situations. The trust required to make those exchanges happen has to be earned and continuously demonstrated, not just claimed.
Type II vs. Type I - what the difference means
SOC 2 comes in two forms. Type I is a point-in-time assessment - an auditor looks at your controls on a specific date and confirms they exist. Type II is fundamentally different: it evaluates whether those controls actually work consistently over an extended observation period, typically six to twelve months.
The distinction matters because Type I can be gamed. You can tighten security for a snapshot audit and relax afterward. Type II cannot be faked the same way. Auditors are looking for consistent operation over time - monitoring logs, access reviews, incident response processes, and change management procedures that are actually running, not just documented.
“"Financial advisors have compliance obligations of their own. When they ask us about our security posture, we don't want to hand them a one-page overview. We want to hand them a SOC 2 Type II report."”
Jack Boudreau, CEO & Co-Founder, HabitsWhat was audited
The audit covered three of the five AICPA Trust Service Criteria: security, availability, and confidentiality. These are the criteria most relevant to a platform like Habits, where the primary risk vectors involve unauthorized data access, service downtime that could disrupt advisor workflows, and the exposure of sensitive financial information.
Our auditors reviewed access controls, encryption practices, vendor management processes, incident response procedures, and system monitoring infrastructure. The audit found no exceptions - meaning every control we said was in place was operating as described, consistently, throughout the audit period.
What this means for advisors
For financial advisors, SOC 2 Type II is a meaningful signal. Advisors operate in a regulated environment and have real obligations around the vendors and platforms they rely on. An advisor using Habits can point to the SOC 2 Type II certification when their compliance team asks about data handling - and get a real answer, not a vague privacy policy.
This certification also reflects how Habits thinks about building for the financial services industry. The advisory business runs on trust. Every design decision, every security investment, and every compliance milestone is a bet that being rigorous about trust is the right long-term approach - for advisors, for users, and for the platform.
SOC 2 Type II is an ongoing commitment, not a one-time badge. Habits conducts annual audits to maintain certification and will publish updated reports as they become available. The current SOC 2 Type II report is available to verified advisors on request.
Financial advisors interested in reviewing our security documentation or joining the Habits network can reach out via our Contact Sales Page