Security & Compliance SOC 2 Type II

SOC 2 Type II

SOC 2 Type II is not a milestone. It is the baseline required to operate a regulated crypto financial platform at scale.

Crypto Dispensers completed an independent SOC 2 Type II examination covering security controls enforced in live production systems over an extended operating period. The audit evaluated how access, data, infrastructure, monitoring, and incident response are actually run day to day.

Controls were tested across engineering, compliance, operations, and vendor management. This includes identity verification, encryption, access governance, change management, and continuous monitoring aligned with banking expectations.

Audit type
SOC 2 Type II
Audit period
Operational review
Auditor
Prescient Assurance
SOC 2 Type II Certification
Security controls verified
Production systems tested
Ongoing compliance program
Audit scope

Systems and controls in scope

The SOC 2 Type II examination evaluated controls across production systems involved in the handling of customer data, funds, and transaction workflows. The scope reflects how the platform operates in live environments.

Production infrastructure

  • Application and API services
  • Cloud infrastructure and network configuration
  • System access and privilege management

Transaction workflows

  • Cash, card, ACH, and wire transaction processing
  • Balance crediting and reconciliation logic
  • Error handling and exception review

Data handling

  • Encryption at rest and in transit
  • Segmentation of sensitive customer data
  • Data retention and deletion controls

Access governance

  • Role-based access controls
  • Multi-factor authentication enforcement
  • Logging of administrative actions

Change management

  • Controlled deployment processes
  • Code review and approval workflows
  • Change tracking and rollback procedures

Incident response

  • Security event monitoring
  • Incident escalation and documentation
  • Post-incident review and remediation
The SOC 2 Type II scope focuses on production environments and operating controls. Non-production systems are governed separately and excluded unless they impact live customer data or transactions.
Ongoing governance

How controls are maintained over time

SOC 2 Type II compliance requires continuous operation of controls, not periodic certification. Governance at Crypto Dispensers is designed to ensure controls remain effective as systems, personnel, and partners evolve.

Control ownership

Each SOC 2 control is assigned a specific internal owner responsible for execution, monitoring, and evidence.

  • Defined responsibility across engineering and compliance
  • Ownership reviewed during organizational changes
  • Clear escalation paths for control failures

Change management

System changes are evaluated for security and compliance impact before deployment.

  • Documented approval workflows
  • Code review and testing requirements
  • Change tracking and rollback procedures

Monitoring and logging

Control effectiveness is supported by continuous monitoring of production systems.

  • Security and access logs retained and reviewed
  • Alerts configured for anomalous activity
  • Evidence available for audit review

Incident response

Security and operational incidents follow defined response and documentation procedures.

  • Incident classification and severity assessment
  • Response timelines and accountability
  • Post-incident review and remediation tracking

Policy management

Security and compliance policies are reviewed and updated to reflect operational and regulatory changes.

  • Formal review cadence
  • Employee acknowledgment tracking
  • Alignment with audit scope

Audit readiness

Evidence collection and documentation are maintained continuously, not assembled at audit time.

  • Ongoing evidence capture
  • Internal readiness reviews
  • Third-party audit coordination
Governance processes are designed to support recurring audits and ongoing third-party reviews without changes to production operations.
Third-party oversight

How external dependencies are managed

Crypto Dispensers relies on regulated vendors and infrastructure providers to support payment processing, identity verification, hosting, and communications. Third-party risk is managed through structured review, monitoring, and contractual controls.

Vendor selection

Vendors are evaluated prior to onboarding based on security posture, regulatory alignment, and operational relevance.

  • Security and compliance due diligence
  • Assessment of data access and scope
  • Alignment with regulatory obligations

Risk classification

Vendors are categorized based on the sensitivity of data and systems they interact with.

  • Tiering based on access to customer data
  • Higher scrutiny for critical service providers
  • Scope-based control requirements

Contractual controls

Agreements define security, confidentiality, and data handling responsibilities.

  • Data protection and confidentiality clauses
  • Incident notification requirements
  • Termination and access revocation terms

Ongoing monitoring

Vendor posture is reviewed periodically and upon material change.

  • Annual or risk-based reassessments
  • Review of audit reports where applicable
  • Monitoring of service performance

Access management

Vendor access is limited to the minimum required for service delivery.

  • Least-privilege access enforcement
  • Credential rotation and revocation
  • Logging of vendor interactions

Incident coordination

Vendor-related incidents follow defined escalation and response procedures.

  • Shared incident notification workflows
  • Defined response timelines
  • Post-incident review and remediation
Vendor oversight processes are reviewed as part of ongoing compliance activities and SOC 2 audit preparation.
Regulatory alignment

How SOC 2 fits within KYC, AML, and banking controls

SOC 2 Type II does not replace regulatory obligations. It supports them by providing evidence that security, access, and operational controls function consistently across systems that enforce KYC, AML, and transaction monitoring.

Identity verification

KYC processes rely on secure handling of personal data and controlled access to verification systems.

  • Restricted access to identity data
  • Encryption and retention controls
  • Audit trails for verification activity

Transaction monitoring

AML and fraud monitoring systems depend on accurate, timely, and complete transaction data.

  • Integrity of transaction records
  • Logging of system and user actions
  • Exception handling and review workflows

Banking partner requirements

Regulated banks evaluate security posture as part of ongoing account and rail access.

  • Evidence of access governance
  • Demonstrated incident response capability
  • Documented control ownership

Segregation of duties

Compliance programs require separation between operational, review, and approval functions.

  • Role-based access controls
  • Approval workflows for sensitive actions
  • Logging of administrative activity

Record retention

Regulatory frameworks require records to be retained and retrievable for defined periods.

  • Defined data retention schedules
  • Secure storage of historical records
  • Controlled access to archived data

Regulatory examinations

SOC 2 evidence supports responses to regulatory and banking examinations.

  • Documented control operation
  • Traceable evidence across systems
  • Reduced ad hoc information requests
SOC 2 Type II provides assurance that the systems enforcing regulatory requirements operate consistently over time. Regulatory compliance obligations remain governed by applicable laws and partner agreements.