Verda is SOC 2 Type II compliant Learn more
Login Sign up
Login Sign up
Contact Us

Verda completes SOC 2 Type II audit

Ömer Tumer 4 min read
Share
Verda completes SOC 2 Type II audit

Verda completes SOC 2 Type II audit

We are pleased to announce that Verda has successfully completed a SOC 2 Type II audit. For customers running sensitive AI workloads, this means one fewer question in your procurement review and one more audited control surface you can point your security and compliance teams towards.

The SOC 2 Type II report covers three Trust Services Criteria — Security, Availability, and Confidentiality — across the 2025 audit period. To request a copy under NDA, reach out at [email protected] or via our contact form.

For every workload, and every compliance layer

Our customer base is diverse, spanning geographies, industries, and stages of growth. We serve AI-native startups, enterprises in regulated industries, and global names like Sony, Samsung, and ExpressVPN. We've been building our compliance coverage across distinct control surfaces to match the needs of these customers and different regulatory regimes require different frameworks.

Here's what that looks like today:

  • ISO 27001: Information security management. The foundation. Covers how we operate, what controls we enforce, and how we manage risk. This is what your CISO's team asks for first.
  • ISO 27017: Cloud-specific security controls. Goes beyond 27001 to address shared-responsibility boundaries, virtualization security, and cloud service agreement transparency. Matters when your compliance team needs to understand exactly where your controls end and ours begin.
  • ISO 27701: Privacy information management. Extends 27001 into data protection governance. This is the framework that maps directly to GDPR's processor obligations and gives your DPO something auditable to point at.
  • ISO 27018: Protection of personally identifiable information in public clouds. For any customer processing PII on our infrastructure — which, if you're building customer-facing AI, is most of you.
  • SOC 2 Type II: Our newest addition. A framework covering the security, availability, and confidentiality of customer data over a sustained audit period. A Type II report means an independent auditor observed our controls operating effectively over time. We treat each certification and framework as a distinct commitment, and we publish all current audits and their status at trust.verda.com.

A platform built for regulated and sovereign workloads

Our customers in financial services, life sciences, industrial and robotics, and media operate in sectors where regulatory obligations vary significantly by jurisdiction and workload. While certifications and audits cover part of this picture, some requirements can't be satisfied by a framework or certification alone.

Data residency, jurisdictional sovereignty, and sustainability mandates depend on where your infrastructure physically sits, who operates it, and how it's powered as well. Verda runs on 100% renewable energy in the Nordics, operated by a European entity. As such, we are able to cover use cases that other cloud providers cannot satisfy structurally, even with a similar set of accreditation.

Trust as a roadmap

Our audit portfolio continues to grow. SOC 2 Type II is the latest addition, with the German cloud computing attestation, C5, on our audit roadmap. We will keep investing in new ones to make sure more AI workloads can run on Verda without compromise.

But certifications and attestations are not the full picture. They verify how we operate the platform: our processes, our access controls, our incident response. They do not change what the platform can access. For the most sensitive workloads, that distinction matters.

That is why we are also investing in confidential computing — extending protection from data at rest and data in transit to data in process, the final state where workloads have historically been exposed to the cloud operator. The audit portfolio proves we follow good processes. Confidential computing means you don't have to take our word for it at the workload layer itself.

Together, they represent two sides of the same principle: trust built on evidence and architecture, not on promises.

If you would like to discuss a specific compliance requirement or workload, contact us.

Subscribe to our newsletter

Get the latest updates on GPU benchmarks and AI research
Your information will be used in accordance with the Privacy Policy. You may opt out at any time.