We have some exciting news to share. Subtotal has officially completed our SOC 2 Type II audit and now has an issued SOC 2 Type II report. This has been a significant goal for us, and we're thrilled to make it official.

From day one, we have believed that connecting shopper retail accounts, powering itemized purchase data, and enabling brands to build meaningful relationships should come with rigorous security, strong controls, and transparent operational discipline. Security, trust, and operational rigor aren't afterthoughts. They are foundational to how we design the product, run the company, and support our customers. This milestone reflects that.

What Does SOC 2 Type II Mean?

SOC 2 is a security and compliance framework created by the American Institute of Certified Public Accountants (AICPA). It evaluates whether a company has established adequate controls related to security, availability, confidentiality, processing integrity, and privacy.

There are two types of SOC 2 audits. A Type I audit checks whether controls are designed correctly at a particular moment in time. A Type II audit goes further and verifies that those controls actually operate effectively over an extended period. In other words, it confirms that we actually do what we say we're going to do on a day-to-day basis.

In practical terms, this means:

• We operate controls to protect your customers’ retail-account connections, itemized purchase data, and integrations on an ongoing basis.
• External auditors reviewed and tested our controls over a sustained period spanning people, processes, and technology.
• We have committed to ongoing monitoring and transparency so you can move forward knowing Subtotal takes security and operational integrity seriously.

Why We Decided To Do This Now

We wanted to demonstrate early in our company’s life that we take data protection seriously and that our internal practices align with the expectations of enterprise procurement, privacy teams, and security stakeholders.

SOC 2 has become a standard benchmark for trust. Completing the audit and receiving our Type II report now helps us move faster with customers and stay ahead of the needs of the brands we serve.

How We Got Here

We partnered with Vanta to automate evidence collection and monitor our controls. Their platform helped us build a strong security foundation and made the readiness process smooth and efficient.

Our audit was conducted by Advantage Partners, who created a seamless audit experience and ultimately issued our SOC 2 Type II report after verifying that our controls operated effectively throughout the observation window.

Behind the scenes, our team put in a lot of focused work. We documented processes, tightened workflows, formalized policies, and reinforced habits already in place. The result is a stronger operational foundation for Subtotal as we scale.

Why This Matters for You (and Your Brand)

More confidence for your teams and stakeholders

Subtotal now operates on independently verified controls, which makes security, compliance, legal, and procurement conversations far smoother. Your teams can rely on a platform that has been tested against a recognized standard and validated over a sustained period.

A more resilient platform to build on

The SOC 2 process strengthened our internal practices, improved visibility into risks, and sharpened change management and incident response. This creates a more secure, reliable, and predictable foundation for everything you build with Subtotal.

Less friction in procurement and onboarding

Enterprise customers and partners increasingly require proof of strong operational controls, and SOC 2 Type II has become the gold standard. Having an issued report removes blockers, streamlines evaluations, and accelerates integrations and partnerships.

No changes to your product experience

The APIs, SDKs, and integrations you use today stay the same. They simply sit on top of a validated and independently tested control environment. Our developer experience remains focused on ease and clarity, with fast onboarding, clean APIs, and seamless flows.

What’s Coming Next

Achieving SOC 2 Type II compliance is a major milestone, but it's not the end of the journey. We treat this as a baseline, not a ceiling. We will continue undergoing annual SOC 2 audits, expand our security and privacy controls, and be transparent about our compliance posture and roadmap. Our goal is to make it easy for you to build with Subtotal while knowing your data is handled with care.

Thank You

We wouldn’t be here without the trust you place in Subtotal. We are grateful to the brands, shoppers, developers, and partners who believe in what we are building. Your trust matters to us, and this milestone is another way we earn it.

We are excited to keep building the future of retail and loyalty together, backed by a foundation of trust and security you can rely on.

— The Subtotal Team