We’re excited to announce that Workhorse has successfully completed a System and Organization Controls (SOC) 2 Type 2 audit and received an attestation report. This achievement exemplifies our commitment to maintaining the highest security, privacy, and compliance standards for our customers.
This independent, third-party validation affirms that the infrastructure and processes powering our company meet rigorous standards for security, reliability, and operational excellence.
SOC 2 Type 2: What It Means
SOC 2 Type 2 is an attestation report issued by an independent CPA firm following a rigorous audit of our security controls and how we handle customer data.
The “Type 2” part means it’s not just about having policies on paper – it’s about proving they work, over time. For three months, an independent auditor examined every layer of our operation, from infrastructure and access controls to incident response plans and data encryption.
It’s About More Than Passing a Test
This isn’t just a compliance checkbox. It’s a chance to measure and prove how we put client security first.
There’s a real weight to knowing people rely on their platforms for their daily operations. Websites managed at Workhorse often connect with CRMs, process customer data, and serve thousands of users. Every update, every piece of data, every decision has to be done the right way.
“We treat security like a product,” said Thomas Bacon, CTO. “It’s constantly evolving, and it needs constant attention. We built the systems, policies, and habits that earned this certification long before the audit began. SOC 2 just puts a stamp on what’s already true behind the scenes.”
From cloud hosting on AWS, to tools like Datadog and GuardDuty for 24/7 monitoring, to yearly penetration testing and role-based access controls, everything has been built to support secure, scalable work for clients in any industry.
Building with Confidence
For marketing teams, business leaders, and partners who rely on dependable digital infrastructure, we want you to know that security is taken seriously at Workhorse:
- Customer data is encrypted, both in transit and at rest.
- Access is tightly controlled, with permissions based on job roles.
- Incidents are planned for and tested, not just reacted to.
- All updates go through a defined change management process, with testing and approval before anything touches production.
- Systems are backed up and monitored, with documented disaster recovery and business continuity plans.
“Clients shouldn’t have to ask whether their website is being protected,” said Morgan Hampton, COO. “That should be the default. The bar should be high. Earning this certification is one way of showing we’ve met, and exceeded that bar.”
What the Audit Looked At
The audit, conducted by Johanson Group LLP, covered daily operations, documentation, process, access controls, and more. A few highlights:
- Security awareness training is required for all team members within 30 days of hire.
- Access to sensitive systems is granted using least-privilege principles, and reviewed annually.
- Backups are encrypted and monitored.
- Client data is protected according to formal retention and disposal policies.
- Vulnerability scans run automatically, and any issues are immediately assigned within the project management system for assessment and remediation.
- Subservice providers like AWS are regularly assessed using third-party attestation reports.
Our Commitment to Ongoing Improvement
While our SOC 2 Type 2 audit completion is a big milestone, but it’s not the finish line. New threats show up, systems evolve, and expectations rise.
Now that we’ve completed the initial three-month observation window, Workhorse will be transitioning to year-round observation. In other words, our processes, controls, and policies will be audited continously.
Security will always be part of the build. It’s woven into how everything is done.
The Bottom Line
If you’re in charge of your organization’s website, or work with partners who are, you need to know your data, users, and systems are being handled the right way. A SOC 2 Type 2 Certification proves the work being done at Workhorse is secure, reliable, and built on a foundation of trust.
For businesses in healthcare, finance, education, or any regulated industry, it’s even more important. You need a website that doesn’t just meet your brand goals, but meets your compliance goals too.
It’s not common for web development agencies of our size to have completed a SOC 2 Type 2 audit either, which makes us all the more proud to have done so.
Visit our Trust Center
To publicly and transparently illustrate our commitment to client security, visit our Trust Center for more information on security policies, audits, how your data is protected, or reach out to start a conversation about your next project.
Whether you’re building something new or scaling something big, there’s nothing more important than knowing it’s done right, and knowing you can trust the people behind it.