PTO Exchange Extends SOC 2 Certification to Protect Customer Data

By Gregg Makuch - May 26, 2021 10:01:31 AM - 6 MINS READ

External Validation on Security and Operational Effectiveness

SEATTLE, WA - May 26, 2021 - PTO Exchange, a benefits platform that converts unused employee paid time off (PTO) into other financial assets, today announced that it has successfully completed the Service Organization Control (SOC) 2 Type II certification to adhere to best-in-class cyber security compliance.

PTO-Exchange-SOC-2-type-II-certificationPerformed by a qualified third-party, the SOC 2 certification provides a means for service organizations like PTO Exchange to certify adherence to the Trust Service Principles, which are specific enterprise controls relevant to data, such as security, availability, processing integrity, confidentiality, and privacy.

Type II certification allows customers and partners to evaluate the effectiveness of any controls their governance process may require.

moore-group-soc-2-audit-specialists-pto-exchangeThe SOC 2 Type II certification, awarded initially in July 2019 by independent accounting and auditing firm The Moore Group, demonstrates PTO Exchange's rigorous commitment to data security practices, policies, procedures, and operations by meeting or exceeding the designated standards established by the American Institute of Certified Public Accountants (AICPA). 

“Since PTO Exchange operates in enterprise environments with compliance obligations around sensitive data, it is imperative for us to stay on top of industry trends related to IT security,” said Todd Lucas, CTO of PTO Exchange. “In addition, the SOC 2 Type II certification also serves as an excellent tool to demonstrate transparency to our customers and maintain their trust.”

What is SOC 2?

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.


SOC 2 audits are unique for each organization. In line with specific business practices, each company designs its own controls to comply with one or more of the trust principles. These audits provide customers and business partners with important information about how the service provider manages data.

There are two types of SOC certifications:

  1. Type I: examines a service organization's systems and whether their design is suitable to meet relevant trust principles.
  2. Type II: examines the operational effectiveness of those systems.

SOC 2 Certification

SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.

  1. Security
    The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
  2. Availability
    The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
  3. Processing Integrity
    The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.
  4. Confidentiality
    Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.
  5. Privacy
    The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).


The American Institute of CPAs is the world’s largest member association representing the accounting profession, with more than 431,000 members, and a history of serving the public interest since 1887. AICPA members represent many areas of practice, including business and industry, public practice, government, education and consulting. For more information visit AICPA.

About PTO Exchange

PTO Exchange is a flexible benefits platform that turns unused paid time off (PTO) into retirement accounts, student loan repayment, travel awards, donations, and more. PTO Exchange helps companies build and reinforce reputational excellence to attract the best employees, reduce balance sheet liabilities and strengthen community all while helping employees get the most from their earned PTO. PTO Exchange is SOC 2-certified and trusted by Premera Blue Cross, General Atomics, Howard Brown Health, STRATACACHE, and others.

Request a Demo

Gregg Makuch

Gregg is CMO at PTO Exchange. Passionate about solving customer problems, cycling, caffè, wine, and all things Italian.

Related Posts: