We're excited to share that Financial Modeling Prep is officially SOC 2 Type 1 compliant. This milestone reflects an independent assessment of how our controls are designed and implemented to support secure, reliable, and well-governed data delivery.

The audit confirms that our access controls, monitoring practices, credential safeguards, and system operations are structured in line with widely accepted expectations for modern financial and enterprise environments, as of the audit date.

What SOC 2 Is and Why It Matters

SOC 2 is a widely recognized auditing framework created by the American Institute of CPAs (AICPA). It is considered an industry benchmark for evaluating how technology providers manage and protect customer data.

A SOC 2 Type 1 report focuses on whether a company's controls are suitably designed and implemented at a specific point in time. The audit evaluates both the documented description of the environment and the design of relevant controls that support security, availability, processing integrity, confidentiality, and privacy.

Organizations across finance, technology, and enterprise IT rely on SOC 2 reporting to understand whether a vendor's control environment is structured to support secure and reliable integration. For FMP users, this provides independent assurance that the platform's control design aligns with established standards for data protection and operational governance.

The SOC 2 Trust Services Criteria

SOC 2 audits evaluate a vendor's control environment against five core areas known as the Trust Services Criteria:

Security
Checks that systems are protected from unauthorized access through controls such as multi-factor authentication, access reviews, and monitoring of privileged activity.

Availability
Assesses whether systems are designed to remain reliably accessible, supported by documented uptime practices, recovery procedures, and capacity planning.

Processing Integrity
Verifies that systems are designed to produce complete, accurate, and valid data, with controls around approved changes and controlled deployment processes.

Confidentiality
Evaluates how sensitive information, including API credentials, is stored, encrypted, and restricted based on clearly defined access roles.

Privacy
Reviews how personal information is collected, used, retained, and disclosed in accordance with stated policies.

Together, these criteria frame what auditors review in a SOC 2 examination and what organizations look for when they assess the readiness and reliability of a technology partner.

What the Audit Reviewed at FMP

During the SOC 2 Type 1 audit, reviewers evaluated how FMP describes its control environment and how key controls are designed and implemented as of the audit date. This assessment covered areas such as:

• Account provisioning and permission updates

• Multi-factor authentication enforcement

• Credential storage and rotation procedures

• System monitoring and alert escalation paths

• Incident response workflows and documentation

• Change management practices and deployment approvals

• Uptime tracking and recovery procedures

For a Type 1 report, auditors confirm that these controls are suitably designed and implemented at the specified point in time. The opinion does not test or attest to how those controls operate over an extended period. Instead, it provides a validated snapshot that the control environment is set up in a way that aligns with SOC 2 expectations.

What SOC 2 Type 1 Compliance Means for FMP Users

FMP's SOC 2 Type 1 report provides practical, third-party validation that the platform's control environment is designed with security and governance in mind.

Stronger Confidence in Control Design
Users can rely on the fact that FMP's access controls, credential handling, and monitoring practices have been independently evaluated for suitability of design and implementation at the audit date.

Support for Secure API Usage
For teams integrating FMP data into scripts, dashboards, or applications, SOC 2 Type 1 compliance helps demonstrate that key controls around authentication, credential management, monitoring, and system configuration follow a structured approach.

Clearer Documentation When You Need It
When you need to explain to stakeholders how your tools connect to FMP, the SOC 2 report can serve as a reference point. It gives security, risk, and compliance teams an external document that outlines how the control environment is described and designed.

While a Type 1 report does not validate performance over time, it establishes a clear baseline that the control environment is thoughtfully constructed and aligned with SOC 2 criteria as of the audit date.

What SOC 2 Compliance Means for Enterprise Partners

For organizations that are using or evaluating FMP as a data vendor, SOC 2 Type 1 compliance helps support internal security, risk, and procurement workflows.

Reduced Friction in Vendor Risk Reviews
SOC 2 provides audited information about how access is governed, how credentials are stored, and how monitoring and response processes are designed. This helps vendor risk and security teams complete their assessments with a stronger base of evidence.

Faster Procurement and IT Security Questionnaires
Because SOC 2 aligns FMP's control description with a widely used standard, many common questions in due diligence and security questionnaires can be addressed with reference to the report.

Confidence in Governance and Change Management Practices
Type 1 compliance indicates that change management, deployment approvals, and related governance controls are documented and implemented at the audit date. This supports evaluations of how FMP plans and manages changes that may affect downstream systems.

Alignment with Internal and Regulatory Expectations
For organizations that must meet internal audit standards, regulatory expectations, or formal vendor risk frameworks, a SOC 2 Type 1 report helps demonstrate that a baseline set of controls is in place and has been independently reviewed.

SOC 2 Type 1 does not replace your own internal reviews. Instead, it provides a trusted starting point and a shared vocabulary for discussing security, governance, and integration readiness when you evaluate FMP as part of your architecture.

Building on a Verified Foundation of Trust

Achieving SOC 2 Type 1 compliance is an important step in FMP's ongoing commitment to secure, dependable, and transparent data operations. The audit confirms that our control environment and supporting processes are documented and designed in line with SOC 2 criteria at a specific point in time.

For teams of all sizes, from individual analysts to large enterprise integrations, this report offers additional assurance that FMP's infrastructure and controls have been independently evaluated. It provides a stable foundation for the work you do with our APIs today and for future improvements to the platform.

As we continue to mature our governance and operational practices, this Type 1 report also positions FMP to pursue future SOC 2 milestones that focus on control performance over time.

Frequently Asked Questions

What is SOC 2?

SOC 2 is a security and operations auditing framework created by the AICPA. It verifies whether a company maintains suitable controls related to security, availability, processing integrity, confidentiality, and privacy.

What type of SOC 2 report does FMP have?

FMP currently has a SOC 2 Type 1 report. A Type 1 audit evaluates the design and implementation of relevant controls at a specific point in time, based on the system description and control set in place as of the audit date.

Does SOC 2 guarantee there will be no incidents?

No. SOC 2 does not guarantee that incidents will never occur. It verifies that defined controls exist and are designed and implemented in a way that aligns with the Trust Services Criteria, and that processes for prevention, detection, and response are documented.

Why is SOC 2 important for API-driven platforms?

For API-driven platforms, SOC 2 helps validate that key elements such as authentication, credential management, monitoring, and change control are governed by formal controls. This is important when APIs feed critical workflows, models, and applications.

How can customers access the SOC 2 report?

Customers can request access to FMP's SOC 2 Type 1 report through their FMP account representative. The report is typically shared under a non-disclosure agreement (NDA) as part of standard security and vendor risk review processes.