Create account
Log in Create account
Buy Bitcoin
Cash in store Debit or credit ACH transfer Wire transfer Bitcoin ATMs Find locations
Learn
What is Bitcoin How Bitcoin works Why Bitcoin matters Bitcoin POP vs Bitcoin ATMs Crypto glossary
Company
About Newsroom SOC 2 Type II Blog
Support
FAQs Scam prevention Help Center Contact
Security and compliance

SOC 2 Type II

Independent verification of how Crypto Dispensers operates, secures data, and enforces controls in live production systems.

This SOC 2 Type II examination evaluated the design and operating effectiveness of security controls over time, reflecting how systems function in real-world, day-to-day conditions.

Audit standard SOC 2 Type II
Systems reviewed Live production environment
Independent auditor Prescient Assurance
What this means

SOC 2 Type II evaluates operational discipline over time, not one-time attestations or surface-level controls.

SOC 2 compliance certification
Audit scope

Systems and controls in scope

The SOC 2 Type II examination evaluated how production systems operate in real conditions, including controls that protect customer data, funds, and transaction workflows.

Production infrastructure

  • Application and API services
  • Cloud infrastructure and network configuration
  • System access and privilege management

Transaction workflows

  • Cash, card, ACH, and wire processing
  • Balance crediting and reconciliation logic
  • Error handling and exception review

Data handling

  • Encryption at rest and in transit
  • Segmentation of sensitive customer data
  • Retention and deletion controls

Access governance

  • Role based access controls
  • Multi factor authentication enforcement
  • Administrative activity logging

Change management

  • Controlled deployment workflows
  • Code review and approval requirements
  • Change tracking and rollback procedures

Incident response

  • Security event monitoring
  • Incident escalation and documentation
  • Post incident review and remediation
Scope note

The SOC 2 Type II scope focuses on production environments and operating controls. Non-production systems are included only where they impact live customer data or transaction integrity.

Ongoing governance

How controls are maintained over time

SOC 2 Type II evaluates how controls operate continuously. Governance at Crypto Dispensers is designed to keep controls effective as systems, personnel, and partners evolve.

Control ownership

Each SOC 2 control has a designated internal owner responsible for execution, monitoring, and evidence.

  • Defined accountability across teams
  • Ownership reviewed during org changes
  • Clear escalation for control failures

Change management

System changes are reviewed for security and compliance impact prior to deployment.

  • Documented approval workflows
  • Code review and testing requirements
  • Change tracking and rollback procedures

Monitoring and logging

Control effectiveness is supported by continuous monitoring of production systems.

  • Security and access logs retained
  • Alerts for anomalous activity
  • Evidence available for audits

Incident response

Security and operational incidents follow defined response and documentation procedures.

  • Incident classification and severity
  • Response timelines and accountability
  • Post-incident remediation tracking

Policy management

Security and compliance policies are reviewed to reflect operational and regulatory changes.

  • Formal review cadence
  • Employee acknowledgment tracking
  • Alignment with audit scope

Audit readiness

Evidence and documentation are maintained continuously, not assembled at audit time.

  • Ongoing evidence capture
  • Internal readiness reviews
  • Third party audit coordination
Governance note

Governance processes are designed to support recurring audits and ongoing third party reviews without disruption to production systems.

Third party oversight

How external dependencies are governed

Crypto Dispensers relies on regulated vendors for payments, identity verification, infrastructure, and communications. Third party risk is managed through structured review, contractual controls, and ongoing monitoring.

Vendor selection

Vendors are evaluated prior to onboarding based on security posture, regulatory alignment, and operational relevance.

  • Security and compliance due diligence
  • Assessment of data access and scope
  • Alignment with regulatory obligations

Risk classification

Vendors are tiered based on the sensitivity of data and systems they interact with.

  • Tiering based on access to customer data
  • Higher scrutiny for critical providers
  • Scope based control requirements

Contractual controls

Agreements define security, confidentiality, and data handling responsibilities.

  • Data protection and confidentiality clauses
  • Incident notification requirements
  • Termination and access revocation terms

Ongoing monitoring

Vendor posture is reviewed periodically and upon material change.

  • Annual or risk based reassessments
  • Review of audit reports where applicable
  • Monitoring of service performance

Access management

Vendor access is restricted to the minimum required for service delivery.

  • Least privilege enforcement
  • Credential rotation and revocation
  • Logging of vendor interactions

Incident coordination

Vendor related incidents follow defined escalation and response procedures.

  • Shared notification workflows
  • Defined response timelines
  • Post incident remediation tracking
Oversight note

Third party oversight processes are reviewed as part of ongoing compliance activities and SOC 2 Type II audit preparation.

Regulatory alignment

How SOC 2 supports KYC, AML, and banking controls

SOC 2 Type II does not replace regulatory obligations. It provides independent assurance that the systems enforcing KYC, AML, and banking requirements operate consistently in live production environments.

Identity verification

KYC processes rely on secure handling of personal data and controlled access to verification systems.

  • Restricted access to identity data
  • Encryption and retention controls
  • Audit trails for verification activity

Transaction monitoring

AML and fraud monitoring systems depend on accurate, timely, and complete transaction data.

  • Integrity of transaction records
  • Logging of system and user actions
  • Exception handling and review workflows

Banking partner requirements

Regulated banks evaluate security posture as part of ongoing rail and account access.

  • Evidence of access governance
  • Demonstrated incident response capability
  • Documented control ownership

Segregation of duties

Compliance programs require separation between operational, review, and approval functions.

  • Role based access controls
  • Approval workflows for sensitive actions
  • Logging of administrative activity

Record retention

Regulatory frameworks require records to be retained and retrievable.

  • Defined data retention schedules
  • Secure storage of historical records
  • Controlled access to archived data

Regulatory examinations

SOC 2 evidence supports regulatory and banking examinations.

  • Documented control operation
  • Traceable evidence across systems
  • Reduced ad hoc information requests
Regulatory note

SOC 2 Type II provides assurance that systems enforcing regulatory requirements operate consistently over time. Regulatory obligations remain governed by applicable law and partner agreements.

Verified customer reviews

Trusted by real customers

Reviews collected and hosted by Trustpilot — an independent third-party review platform.

4.9 ★★★★★
Excellent Based on 1,000+ reviews
Trustpilot Verified
Read all reviews
Get started

Ready to continue?
Take the next step now.

Create your account or sign in to proceed with your purchase, generate payment instructions, and manage your Bitcoin transactions securely.

Get started
Why it works

Bitcoin works because it removes discretion from money. No committee controls supply. No institution can inflate it away. No permission is required to hold or transfer it. These are properties of the protocol, not promises of a company.

Always review quoted pricing, limits, and instructions before submitting payment. Cryptocurrency transactions are generally irreversible once processed.

Start with cash. End with Bitcoin.

Create account Log in