Ledgy continues commitment to enterprise-grade security, availability, and confidentiality

Building on our commitment to enterprise-grade security with our expanded SOC 2 certification.

At Ledgy, we know that managing equity means managing some of your most sensitive business data. From cap tables and financial reporting to employee share plan ownership details, the information on our platform sits at the heart of your business operations. That's why we're committed to meeting the highest standards of data security and operational excellence.

Today, we're pleased to announce that Ledgy now holds both a SOC 1 Type II report (audit period: April 1 to August 31, 2025) and a SOC 2 Type II report covering Security, Availability, and Confidentiality trust service criteria (audit period: August 1, 2024 to August 31, 2025). Completed in September 2025, these certifications add to our existing ISO 27001:2022 certification - reinforcing our position as a platform built for enterprise-level share plan management.

Why two SOC frameworks matter

Both SOC 1 and SOC 2 Type II certifications are important to us; each serves a distinct and complementary purpose for companies managing share plans at scale.

SOC 1 Type II: Financial reporting integrity

Our SOC 1 Type II certification, covering an audit period from April to August 2025, specifically addresses controls relevant to your financial reporting. This matters because equity management directly impacts financial statements. From IFRS 2 expense calculations to shareholder disclosure requirements. With the SOC 1 certification:

• Your auditors can rely on Ledgy's controls as part of their financial audit process
• You gain confidence that equity transactions are processed accurately for financial reporting
• Enterprise finance teams can demonstrate to stakeholders that their equity data meets financial reporting compliance standards
• Our FiRe (Financial Reporting) functionality is backed by audited controls designed for financial data integrity

In short, SOC 1 Type II shows that Ledgy's platform is built to support your financial reporting obligations with the rigour that CFOs and external auditors require.

SOC 2 Type II: Comprehensive data security

While SOC 1 focuses on financial reporting, our SOC 2 Type II certification (12-month audit period) provides broader validation of how we protect all customer data. This certification covers three critical trust service criteria:

• Security: Controls protecting against unauthorised access, both physical and logical
• Availability: Systems and processes ensuring the platform remains accessible when you need it
• Confidentiality: Safeguards ensuring sensitive equity data is protected and disclosed only as appropriate

For enterprise buyers, particularly in North America, where SOC 2 is the gold standard for SaaS platforms and share plan providers, this certification provides the independent validation needed to streamline procurement decisions. Instead of lengthy security questionnaires and vendor risk assessments, prospects can review our SOC 2 report and move forward with confidence.

What this means for Ledgy customers

The dual SOC framework approach isn't just about ticking compliance boxes. It's about reducing friction at every stage of working with equity management software.

Faster sales cycles, less administrative burden

Enterprise procurement teams can now rely on our SOC 2 Type II report rather than requiring bespoke security assessments. This means:

• Shorter vendor risk review processes
• Reduced back-and-forth on security questionnaires
• Confidence that Ledgy meets or exceeds industry security standards
• Clear documentation for your own compliance and audit requirements

Trust through independent validation

Both our SOC reports are prepared by MHM, a certified public accounting firm specialising in SOC audits. These aren't self-assessments; they represent rigorous, independent verification that our controls work as designed, consistently, over time.

When your internal audit team or external auditors ask about the security of your equity platform, you can point to third-party validated controls that demonstrate we take data protection as seriously as you do.

Building on a strong security foundation

These dual SOC certifications represent the latest milestones in our ongoing commitment to security:

• ISO 27001:2022 certified for Information Security Management Systems
• SOC 1 Type II for financial reporting controls
• SOC 2 Type II for security, availability, and confidentiality
• Enterprise features include SAML SSO with SCIM provisioning, two-factor authentication, role-based access controls, and granular permissions

Together, these certifications mean Ledgy provides security at the same level you'd expect from financial institutions - because that's exactly what managing share plan data requires.

The work behind the certifications

Achieving both SOC 1 and SOC 2 Type II certifications isn't a box-ticking exercise. It represents months of rigorous work across every part of our organisation:

Comprehensive policy framework: We've established and maintain formal policies covering security operations, data handling procedures, access management, incident response protocols, and business continuity planning. Every team member acknowledges and adheres to these policies annually.

Continuous monitoring and evidence collection: Throughout both audit periods, five months for SOC 1 and 12 months for SOC 2, we collected evidence demonstrating that our controls operate effectively. This includes security configuration screenshots, access review logs, proof of employee security training completion, and documentation of regular security assessments.

Cross-functional coordination: Achieving SOC 2 compliance required coordination across security, engineering, HR, operations, and legal teams. Every department handling customer data implemented controls and maintained evidence to prove consistent, effective security practices.

Ongoing testing and verification: We conduct regular internal testing of security controls, vulnerability assessments, access reviews, and incident response drills. Our audit trails demonstrate that controls work consistently throughout the entire examination periods, whether six months for financial reporting controls or 12 months for broader security controls.

Third-party auditor engagement: Our independent auditor reviewed our control design, tested their effectiveness across both SOC frameworks, and produced the final reports - all with no exceptions noted.

This work doesn't stop with certification. We're committed to maintaining and improving our security, with regular audits ensuring we continue to meet the highest standards.

Looking ahead

Security and compliance are ongoing commitments. As we continue to scale and serve enterprise customers globally, we'll keep investing in the infrastructure, processes, and certifications that protect your data.

If you'd like to review our SOC 1 or SOC 2 Type II reports, please contact your Ledgy account representative - reports are available under NDA to customers, partners, and prospects evaluating our platform.

At Ledgy, we're building the equity and share plan administration platform that scales with your ambitions while meeting the security standards you demand. This latest certification milestone reinforces that commitment.