Yes.

We maintain annual SOC1 (Type I and II) and SOC2 (Type I & II) external audit reports. 

The reports are available under NDA for customers.

• Odoo ISAE3402 SOC 1 Type I 
• Odoo ISAE3402 SOC 1 Type II
• Odoo SOC 2 Type I 
• Odoo SOC 2 Type II

Please contact your Odoo Business Advisor or Account Manager for access, which starts with signing our NDA (so be sure to identify who in your organization is empowered to act on behalf of your legal and/or compliance team by signing).

SOC 1 compliance refers to a set of standards and guidelines for service organizations to ensure the security, availability, processing integrity, confidentiality, and privacy of financial data. SOC 1 (Service Organization Control 1) is a report created by the American Institute of Certified Public Accountants (AICPA) to assess a service organization's controls over financial reporting.

SOC 1 compliance is important for organizations that provide services to other companies, such as data centers, payroll processing firms, and other service providers that handle sensitive financial information. By obtaining SOC 1 compliance, service organizations can demonstrate to their customers and stakeholders that they have effective controls in place to protect their financial data.

There are two types of SOC 1 reports: SOC 1 Type 1, which evaluates the design of controls at a specific point in time, and SOC 1 Type 2, which evaluates the operating effectiveness of controls over a specified period of time.

SOC1 audit reports are equivalent to ISAE3402 audit reports.

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy. A SOC 2 report is tailored to the unique needs of each organization. Depending on its specific business practices, each organization can design controls that follow one or more principles of trust. These internal reports provide organizations and their regulators, business partners, and suppliers, with important information about how the organization manages its data. There are two types of SOC 2 reports:

• Type I describes the organization’s systems and controls and whether their design complies with the relevant trust principles.
• Type II details the operational efficiency of these systems and controls over a specified period of time

We also provide a complete Cloud Security Alliance CAIQv3 questionnaire, the link is on our Security Policy page at odoo.com/security 

We do not have ISO 27001 or any other certifications besides the above at this time. However we follow all best practices of the industry as described in our Security Policy, and we only process customer data in secure data centers hosted by well-known providers that meet our strict security requirements, and offer all industry-standard certifications and guarantees, including ISO27001 (See also Q24 and our Privacy Policy for a list of their certifications).

Note : Our CAIQ and our SOC2 reports are industry standards and cover all the important security & compliance questions. The CAIQ self-assessment questionnaire even contains a mapping towards many other standards such as ISO27001, PCI DSS, FedRamp, HIPAA & HITRUST, etc.

We do of course take into account the OWASP Top web vulnerabilities in the design of our software and platform, and it is an important concern during all code reviews (more info on this in the Security Policy too).