Bonsai is SOC 2 Type 1 certified

When we set out to build Bonsai, we made a fundamental choice: your first-party customer data would never be treated like just another dataset. It's the foundation of how modern B2C companies understand their business, and it deserves to be protected accordingly.

Today, we're announcing that Bonsai has successfully completed SOC 2 Type 1 certification. But this isn't just a checkbox — it's validation of the security infrastructure we've built from day one.

What SOC 2 Type 1 actually means

SOC 2 Type 1 is an independent audit that examines whether your security controls are designed correctly. Think of it as a comprehensive inspection: Are the right processes documented? Are access controls properly configured? Do your systems protect data the way you claim they do?

For Bonsai, this audit covered Security, Availability, and Privacy controls — the Trust Service Criteria established by the American Institute of Certified Public Accountants (AICPA). Our auditors reviewed everything from how we manage employee access to production systems, to how we monitor for security incidents, to how we handle customer data across our entire platform.

Why this matters for marketing measurement

Here's the reality: marketing measurement platforms touch some of your most sensitive data. Purchase behavior. Customer identities. Revenue attribution. The platforms claiming to "measure" your marketing are often asking you to hand over the keys to your customer data warehouse.

We built Bonsai differently. We don't use third-party cookies. We don't sell your data. We don't share it with ad platforms to "optimize" their algorithms. But saying "we take security seriously" isn't enough when you're asking companies to trust you with their first-party data. You have to prove it.

That's what SOC 2 does. It's third-party validation that our controls are designed to:

• Limit access to customer data — Only authorized team members can access production systems, with access reviewed regularly to ensure the right people have access to the right things for the right reasons.
• Maintain system availability — Your measurement infrastructure needs to be reliable. Our controls ensure uptime and resilience so you can trust that your data is always accessible.
• Protect privacy — From how we handle customer information to how we process marketing data, our privacy controls are built into every layer of the platform.
• Detect and respond to issues — Our monitoring and logging systems can identify potential security concerns and alert our team when intervention is needed.

What happens next

Completing SOC 2 Type 1 is step one. We'll soon be entering the 90-day observation period for SOC 2 Type 2 certification.

Here's the difference: Type 1 confirms that our controls are designed correctly. Type 2 confirms that we follow those controls consistently over time. It's the difference between having a security playbook and proving you execute it day after day.

Type 2 is the certification that enterprise security teams actually require. It's the one that matters for regulated industries. And it's where we're headed next.

How this impacts you

If you're a current Bonsai customer: nothing changes in how the platform works. What this does is confirm that the security practices protecting your data — the ones we've had in place since launch — meet the standards of independent auditors.

If you're evaluating Bonsai: you can request our SOC 2 report during the discovery process. When your security team asks "How do you protect our data?" — this is the answer.

The bigger picture

SOC 2 Type 1 is a milestone, but it's part of a longer commitment. As regulations like California's DROP tool eliminate third-party data and privacy requirements tighten across the industry, companies need measurement infrastructure they can actually trust.

We're building that infrastructure. And now we have independent validation that we're doing it right.