Skip to content
Home / Blog / Is Onyx IQ SOC 2 Type II...
MCA Software

Is Onyx IQ SOC 2 Type II Certified? What That Means for Your Data, Your Merchants, and Your Capital Partners

Yes. Onyx IQ holds a SOC 2 Type II report, the same security standard that banks, credit funds, and institutional capital partners look for when they evaluate the systems a lending operation runs on.

That's the short answer. The longer answer is what SOC 2 Type II actually verifies, and why it matters for the things you're responsible for: your own data, your merchants' sensitive information, and the confidence your capital partners have in how you operate.

What SOC 2 Type II Actually Means

SOC 2 is a security standard built around how a company handles customer data. It measures controls across five areas: security, availability, processing integrity, confidentiality, and privacy. When a platform is examined against those controls and passes, it earns a SOC 2 report.

The difference between Type I and Type II is the part that matters.

A Type I report checks that the right controls exist on a single day. A Type II report is harder to earn: an independent auditor watches those controls operate over a stretch of months and confirms they actually work in practice, not just on paper. Type II is the version institutional partners ask for, because it proves the controls hold up over time rather than passing a one-day snapshot.

Earning a SOC 2 Type II report means an outside auditor, not the vendor, verified the security controls. That independence is the whole point. Any platform can describe itself as secure. A SOC 2 Type II report is a third party confirming it.

This still isn't the norm in MCA software. Many platforms in this space have never completed a SOC 2 audit, which means their security posture is whatever they say it is, with nothing external backing it up. When you're moving merchant financial data and answering to capital partners, that gap matters.

What This Means for Your Data

Your funding operation runs on data that would do real damage if it leaked: deal records, funding history, portfolio performance, banking details, and the internal numbers behind how you price and underwrite. SOC 2 Type II is the standard that governs how that data is protected inside the platform.

In Onyx IQ, that protection shows up in a few concrete ways. Data is encrypted and access-controlled, so information is protected both in storage and in transit. Role-based permissions let you control exactly who sees what: your collections team, your underwriters, your accountant, and your admins each get a view scoped to their job, so a login doesn't hand someone the entire operation. And every action is logged in an audit trail that records who touched a deal and what changed, down to the old and new values. If you ever need to answer who did what and when, the record is there.

The infrastructure sits underneath all of it. Onyx IQ is hosted on AWS across two separate states, so a regional outage or disaster in one location doesn't take your operation offline. Your data stays available and backed up, which is its own form of security: losing access to your records is as damaging as exposing them.

What This Means for Your Merchants

Every deal you fund carries your merchant's most sensitive information: bank statements, business financials, and often personal identifiers like Social Security numbers. Your merchant handed that data to you on the understanding that you'd protect it. The software you run determines whether you actually can.

When merchant data moves through a platform that hasn't been independently audited, you're trusting the vendor's word that it's handled safely. SOC 2 Type II replaces that trust with verification. The encryption, access controls, and audit logging that protect your own data protect your merchants' data the same way, and an outside auditor has confirmed those controls work.

That matters beyond the merchant relationship. Regulators and state disclosure laws increasingly hold funders accountable for how borrower data is stored and handled. Running on a platform with a SOC 2 Type II report means the system underneath your operation was built and verified to protect that data, which is exactly the posture you want if a merchant, a regulator, or your own counsel ever asks how their information is secured.

What This Means for Your Capital Partners

SOC 2 Type II earns its keep with your capital partners.

When you raise capital from a bank, a credit fund, or an institutional investor, they don't just evaluate your portfolio. They evaluate your operation, and that includes the technology it runs on. A capital partner putting money behind your deals wants to know the system holding those deals is secure and auditable.

A software vendor without a SOC 2 report becomes your problem to explain in those conversations. You end up vouching for a platform's security yourself, without anything external to point to. A vendor with a SOC 2 Type II report gives you a document to hand over instead. Your capital partner's diligence team recognizes it immediately, because it's the same standard they apply everywhere else.

The effect is that your vendor's certification makes you look more institutional. Funders raising a credit facility or formalizing a bank sponsor relationship are held to a higher standard of operational maturity, and the security of your core platform is part of that picture. Running on SOC 2 Type II-certified software is one less question you have to answer and one more reason a capital partner treats you as a serious operation.

How to Verify a Vendor's SOC 2 Claim

Because SOC 2 carries this much weight, some vendors describe themselves as "SOC 2 aligned" or "built to SOC 2 standards" without holding an actual report. Those phrases sound similar but mean something very different: they describe an intention, not an independent audit. Here's how to tell the real thing from the marketing version.

✓ Real certification
The vendor can produce a current SOC 2 Type II report, name the reporting period, and share it under NDA. The report is issued by an independent auditor, not written by the vendor.
△ Marketing version
The vendor says "SOC 2 aligned," "SOC 2 ready," or "built to SOC 2 standards" but can't produce a report or name a reporting period. That's a description of intent, not a completed audit.

Ask any vendor directly: do you hold a current SOC 2 Type II report, and can you share it? The answer tells you whether their security is verified or just described. With Onyx IQ, the answer is yes, and we can walk you and your capital partners through it.

What Onyx IQ's SOC 2 Type II Means for You

Onyx IQ holds a SOC 2 Type II report, which means an independent auditor confirmed our security controls work over time.

  • For your data, that means encryption, role-based access, audit trails, and redundant AWS hosting.

  • For your merchants, it means their sensitive information is protected by controls that have been verified, not just claimed.

  • For your capital partners, it means the platform behind your operation meets the standard their diligence teams already look for. Security you can point to, not just talk about.

Similar Posts