Avrea is SOC 2 Type 2 attested

Avrea is SOC 2 Type 2 attested, covering the Security, Availability, and Confidentiality criteria. The attestation report was issued six weeks after our ISO 27001:2022 certification.

A CI platform sits right in your software supply chain. We run your builds and hold your source code, caches, and secrets, which is a lot of trust to ask for, and CI is exactly what attackers go after.

How we did it

We built Avrea security-first, so getting this right was never optional. The controls were designed to meet audit requirements before we booked either audit.

We ran the ISO 27001 and SOC 2 audits in parallel. That's only practical when the security posture is solid from day one, and it helped that the two frameworks overlap by about two-thirds.

As a result, we can produce automated evidence reports on demand, which makes future audits and ongoing compliance significantly easier to maintain.

What it means for you

SOC 2 is a compliance standard used by many enterprises when running vendor security reviews. An independent third-party audit, performed in parallel with ISO 27001, gives you a verified record to stand behind.

Whether you are a startup going through your first enterprise deal or a large organization managing a stack of vendor reviews, having a SOC 2 attested CI vendor in your stack removes one item from the evaluation list. The security posture is there from day one.

Fast CI and a solid security posture come from the same place: building things right the first time.

The report

The initial attestation report covers the period 9 February to 9 May 2026. As an ongoing obligation, the report will be renewed annually.

The full report is available under NDA. Trust documentation and certificates are at trust.avrea.com. System availability and incident history are at status.avrea.com.

To request the report, reach out at support@avrea.com.