Canopy Connect Renews its SOC 2 Type II Certification

Canopy Connect Renews its SOC 2 Type II Certification

At Canopy Connect, we’re building critical insurance API infrastructure that empowers people to securely share their insurance data. We’re fast and we’re easy to use.

Most importantly, we’re secure. We have to be because we process sensitive user data. To demonstrate our commitment to security, we were the first insurance API provider to successfully undergo an extensive third-party audit to obtain SOC 2 Type II compliance in 2021.

We’re pleased to announce that we’ve once again successfully completed our SOC 2 Type II certification for 2022.

What this means for our customers and users is that we provide enterprise-ready security for data secured in our systems. This demonstrates that we manage our data with the highest standards of security and compliance. 

When you choose Canopy Connect as your insurance API provider, you can rest assured knowing that we meet or exceed the requirements to achieve this industry standard. 


What is SOC 2

Service Organization Control 2 (SOC2) is a standard developed by the American Institute of CPAs (AICPA). There are five “trust service principles” criteria for managing customer data: security, availability, processing integrity, confidentiality and privacy.

Demonstrating SOC 2 compliance is essential for any company that stores customer data in the cloud. This makes it applicable to almost all insurance API providers. 

There are two types of SOC 2 reports. 

  • Type I: Describes company’s systems and whether their design is suitable.

  • Type II: Details the operational effectiveness of those systems over a period of time. SOC 2 Type II certifications must be renewed annually. The process to achieve Type II certification is significantly more time consuming and difficult.

Canopy Connect has met the requirements for SOC 2 Type II.

What is Involved with SOC 2 Certification?

To achieve and maintain a SOC 2 Type II certification, Canopy Connect worked with Prescient Assurance, an independent third party, to undergo an intensive audit that examined our systems for the time period from November 1, 2021 to November 15, 2022.

The audit firm tested not only that our controls were properly designed, but also that they were operated effectively. 

An auditor can present four opinions.

  • Unqualified: The auditor fully supports the findings, with no modifications.

  • Qualified: The auditor cannot express an unqualified opinion; however, the issues are not pervasive.

  • Adverse: The auditor believes that there are material and pervasive issues. Report readers should not rely on the vendor’s system.

  • Disclaimer: The auditor is unable to express an opinion due to insufficient evidence, and the possible effects could be both material and pervasive.

The SOC 2 Type II report that Canopy Connect received was unqualified meaning that our auditor found no issues with our security.

What Do Some Companies Elect to Not Do SOC 2 Audits?

Achieving and maintaining SOC 2 Type II certification requires a strong commitment to security. Companies may elect not to do SOC 2 audits for a variety of reasons that include:

  • They do not have the security controls in place to pass an audit

  • They do not feel that it is important to demonstrate their commitment to security

  • They do not have the resources required to undergo an intensive audit 

Canopy Connect was the first consumer-permissioned insurance data provider to receive our SOC 2 Type II certification and will continue to renew each year as part of our commitment to security.

Canopy Connect as Your Insurance API provider

When you work with Canopy Connect, you can rest assured knowing that the data of your users and customers is in safe hands. We’re committed not just to security, but also to the privacy of data and do not, and will not sell user data. 

We invite you to read our privacy policy, which outlines our firm commitment to not sell user data. Contact us today to see how we can help you unlock the power of consumer-permissioned insurance data.