We’re proud to announce that Cron To Go has officially completed its first SOC 2 Type II audit. This independent assessment verifies that we operate in line with the AICPA’s Trust Services Criteria for security, availability, and confidentiality: all essential pillars for any service depending on time-sensitive, production-grade tasks.
For engineering teams automating critical jobs in staging and production, this certification offers external validation of the care and consistency that underpin our infrastructure.
What SOC 2 compliance involves
SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) to assess how service providers manage data. The SOC 2 Type II audit we completed evaluates whether our controls function effectively over an extended period, typically six to twelve months.
- Security : Preventing unauthorized access to schedules, APIs, and logs
- Availability: Ensuring uptime for job execution, status tracking, and dashboard control
- Confidentiality: Protecting schedule metadata, credentials, and stored variables
Auditors reviewed how Cron To Go’s infrastructure is built, maintained, and monitored, not just technically, but procedurally.
How Cron To Go supports secure operations
We’ve built Cron To Go with a foundation of secure practices that inherently align with SOC 2 expectations. Compliance isn’t just about passing an audit, it’s about building things right from the start. Cron To Go has always operated with strong internal controls, and this audit just makes that visible.
Features supporting SOC 2 compliance include:
Security
- Secure API access using CRONTOGO_API_KEY and CRONTOGO_ORGANIZATION_ID
- Webhook authentication through HMAC signatures and optional authorization headers
- Job execution runs in Heroku one-off dynos with inherited platform security
- Email and webhook alerts for failed executions support early issue detection
Availability
- Job history is accessible via the dashboard and CLI
- Webhook delivery logs include status, response codes, and retry options
- Dyno timeouts help prevent job overlap and hanging processes
- Notifications on job failures and recoveries assist with operational continuity
Confidentiality
- Access is scoped by Heroku’s role-based permissions
- Logs are not stored by Cron To Go and are only pulled from Heroku
- Webhook filters allow selective delivery to limit data exposure
These are foundational requirements for us and part of why Cron To Go is trusted across industries that depend on precision and traceability.
Internal practices that support secure operations
Security starts with how we work. Our internal practices include documented policies for access control, password hygiene, incident response, internal audits, and change management. Every team member completes regular security training and signs confidentiality agreements. When policies are updated, staff review and acknowledge them promptly.
The outcome is a scheduling platform built on consistent, disciplined operations.
Get the full SOC 2 report
If you want to know more, you can access our latest SOC 2 Type II report through the Cron To Go Trust Center.
