At Proton, we prioritize our community’s privacy and data security in every aspect of how we operate — from our open-source apps to our zero-access architecture.

To further demonstrate our commitment, we recently completed an in-depth external audit and — in July 2025 — successfully achieved our first SOC 2 Type II attestation, one of the most widely recognized standards for operational security in business. It provides third-party validation that we not only have strong security controls in place, but that they’re consistently followed in practice.

Here’s what this means, and what’s next for Proton.

How we did it

At Proton, our philosophy is simple: Build strong security first, then let compliance follow.

That approach paid off. To complete the SOC 2 Type II audit, we didn’t have to overhaul how we work. We formalized and documented many of the controls already embedded in our day-to-day operations — from access management and incident response to system monitoring and risk assessment.

The audit examined the real-world implementation of our security controls across our infrastructure. This included interviews, technical reviews, and documentation checks — all conducted by Schellman(yeni pencere), an independent, third-party auditing firm widely consulted in the tech sector.

In other words, our internal security practices were put under the microscope — and validated.

Why we did it

Proton was built on the idea that privacy is a human right — and trust still has to be earned.

As an organization founded by scientists, we believe that independent review and public accountability are the best ways to prove a system is working — and to find and fix problems quickly when it’s not.

That’s why we make our apps open source, run a public bug bounty program, and invite penetration testing of our services. We also underwent a rigorous external audit and — on May 2, 2024 — received our ISO 27001(yeni pencere) certification. Completing the SOC 2 Type II audit is a natural extension of this approach.

This attestation is also increasingly important for businesses evaluating tools for secure communication and collaboration. For many of these organizations — especially those in finance, healthcare, and other regulated industries — SOC 2 is a baseline requirement before moving forward with a vendor.

Proton’s SOC 2 Type II attestation proves that our security isn’t just technical — it’s operational. We meet strict, independently-audited standards for how we handle data, systems, and processes.

What’s next

This SOC 2 Type II audit is just one piece of the bigger picture. It joins our ISO 27001 certification, GDPR and Swiss DPA compliance, and HIPAA support (when needed) — all part of building tools you can actually trust.

We’re going to keep pushing: improving our security infrastructure, making it easier for businesses to assess Proton, and sharing more about how we do our work.

Need the SOC 2 report for a vendor review or just want to take a closer look? Reach out to our team. We’re happy to walk you through it.

Thanks for being with us. We’ve got more updates coming soon to help you — and your team — stay secure.