• 29 Mar 2021

Apperio achieves AICPA SOC2 Type 2 certification


We are pleased to announce that Apperio has been awarded a full SOC2 Type 2 security certification, adding to our existing suite of security accreditations; ISO27001 and Cyber Essentials Plus.

As companies and law firms accelerate their transition away from familiar, legacy, on premise software tools, towards modern cloud based SaaS platforms, one of the key areas of apprehension is, understandably, security.   

The data we handle at Apperio is exceptionally sensitive and we take our responsibility as a custodian of it very seriously. Security is not merely a feature of Apperio, or something we pay lip service to - it is a core tenet in how we design and build every aspect of our platform and it’s one of our most significant areas of investment.

Security is baked into the culture of Apperio and it affects every facet of how we operate our organisation. That is why, every day, hundreds of the world’s largest law firms use Apperio and trust us to share legal spend data with their clients securely. 

For more information about Apperio’s security capabilities or certifications, please contact us at info@apperio.com.

For customers looking for the details of our SOC 2 report, please contact your Customer Success Manager.

* * *

Quick overview of the Information Security standards

SOC 2 Type 2

American Institute of Certified Public Accountants (AICPA) SOC Type 2 is an evaluation of the operational effectiveness of systems designed for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy over an extended period of time. It is independently audited on an annual basis.


ISO27001 is a globally recognised standard for Information Security Management Systems with emphasis on good governance and mitigating information security risk with a comprehensive series of technical and organisational controls. It is independently audited on an annual basis.

Cyber Essentials Plus 

Is a cyber security programme originally designed by the UK government to help organisations protect computer systems and the underlying data. It is a mandatory requirement for UK government suppliers to attain this level of competence. It includes a PEN test and is also independently audited on an annual basis.