River is SOC 2 Type II compliant

River is now SOC 2 Type II compliant, meeting this common, industry standard in security control and safe handling of customer data.

For anyone like myself who's not perfectly familiar with the difference between Type I and Type II, they cover the same criteria, but Type II also evaluates that controls are operating effectively over time. So rather than an instantaneous snapshot on the day compliance is checked showing correctness, the River organization's been through a period of observation demonstrating reasonable continuing operational rigor.

River is self-hosted software, so SOC 2 isn't as important for it as it is for some orgs (the security practices of River's users are generally more relevant), but we do host some infrastructure and data like emails and API keys for our Pro users. The certification process examined those aspects for best practices.

This is far from an exhaustive list, but some examples of what was checked during the audit:

• Multi-factor authentication in use everywhere.
• Least-privileged access across all production systems.
• River's vendors (e.g. Amazon for RDS, Google for Gmail) are inventoried and meet acceptable security criteria.
• Customer data is encrypted in transit and at rest.
• Controlled change management is in place including repository-level checks and mandatory review/sign-off.

River's written by two long-time industry professionals and we like to think that we've been following security best practices on every dimension since day one, but our SOC 2 will come as a relief for some of our users, especially larger ones who'd prefer a stance of "trust but verify". If you want more information or to see our completed report, email us at team@riverqueue.com.