GetCheckmark

Security

Security at GetCheckmark

Our trust centre at trust-centre.html covers our security posture in detail. We hold SOC 2 Type II attestation and ISO 27001:2022 certification, and we operate exclusively in EU jurisdictions for customer-data scope.

Certifications and frameworks

  • SOC 2 Type II (current, Q1 2026 audit completed)
  • ISO 27001:2022 (certified, BSI Ireland)
  • GDPR-aligned data processing posture
  • EU-only hosting for customer data (AWS Dublin primary, Frankfurt secondary)
  • Annual third-party penetration test (last: Q4 2025)
  • Continuous vulnerability scanning across infrastructure and application layers

Data protection

All customer data is processed and stored within the European Union. AWS Dublin is the primary region; AWS Frankfurt is the backup region. We do not transfer customer data outside the EU. Subprocessor list is documented in the trust centre and updated with 30 days' notice before any changes.

Vulnerability disclosure

We welcome reports of security issues affecting our systems. To report a vulnerability, see our security.txt file or write to security@getcheckmark.com. We commit to acknowledging reports within two working days and to a coordinated disclosure timeline of up to 90 days, extendable by agreement.

Penetration testing

Our infrastructure is independently tested annually by a CREST-accredited assessor. The latest assessment was completed in Q4 2025 (assessor: a CREST-accredited UK firm); an executive summary is available to prospective clients on request under NDA.

Subprocessors

A current list of our subprocessors is available on request to clients under NDA. Updates to the list are notified by email with 30 days' notice.