Security & Compliance
SOC 2 Type II compliant.
Your data, encrypted and protected.
Brands like HexClad, Mejuri, dbrand, and Wild trust Fulfil with their inventory, orders, and financials. Here's why.
Type II Compliant.
Security controls independently audited and verified as effective over time. Not just designed well, but actually working.
Uptime.
Consistent availability your operations depend on. Track it yourself at status.fulfil.io.
Encrypted at rest.
All data encrypted at rest and in transit. TLS for every connection.
Google Cloud.
Multiple US data centers. Physical security, redundancy, and disaster recovery built in.
Compliance
SOC 2 Type II. Not just Type I.
SOC 2 Type I checks whether security controls are designed properly at a single point in time. Type II goes further: it verifies those controls are actually working, consistently, over 6–12 months.
What this means for you
- ✓An independent auditor verified our security controls are working, not just documented
- ✓Data handling, access controls, and operational procedures meet the standards your finance and compliance teams expect
- ✓We undergo regular re-audits to maintain compliance as our systems evolve
Trust Center access
Need our full SOC 2 Type II report for your audit? Merchants can create a support ticket to request access to our Trust Center and complete compliance documentation.
Financial Controls
SOC 1 Type II. For customers with financial reporting requirements.
SOC 1 covers internal controls over financial reporting (ICFR). Type II means those controls have been tested and verified as operating effectively over time, not just documented.
Who needs this
Public companies, PE-backed brands, and any merchant whose auditors need assurance that financial data processed through Fulfil is accurate and protected from unauthorized changes.
How to get the report
Our SOC 1 Type II report is available to merchants on request. Create a support ticket to request access through our Trust Center.
Audits & Training
Independent audits. Annual training.
Regular security reviews across infrastructure, applications, and operational procedures. Plus training for every employee and partner.
Regular security audits.
Independent SOC 1 and SOC 2 Type II audits plus regular security audits with Amazon covering infrastructure, application security, and operational procedures.
Penetration testing.
Regular third-party penetration testing simulating real-world attacks against our infrastructure and application.
Security training.
Annual security training for all Fulfil employees. We also provide training for customers and third-party partners.
Access Control
You control who can access what.
Fulfil gives you the tools to enforce it.
Two-Factor Authentication
Enforce 2FA for all employees on your account. Supports authenticator apps and hardware security keys like YubiKeys.
Single Sign-On
SSO via Google or Microsoft. One login, centralized access management, fewer passwords to worry about.
Role-Based Permissions
Granular access controls so each team member only sees and does what they need to. No more shared admin accounts.
Your Data
Portable. Protected. Yours.
You own your data. We make it accessible and secure.
Data Portability
Full BigQuery dataset export if you leave. Not a CSV dump. Your complete data in a format built for long-term retention and analysis.
GDPR & Data Protection
We work with customers in the EU and UK. We can put in place a Data Processing Addendum (DPA) incorporating Standard Contractual Clauses (SCCs) to facilitate lawful data transfers under GDPR.
Best Practices
What we recommend to every merchant.
Fulfil handles platform security. These are things you should be doing on your end.
Credential Management
- ·Use a password vault like 1Password for all credentials
- ·Never share API keys or tokens in plain text via email
- ·Use hardware security keys like YubiKeys where possible
- ·Enable 2FA and use SSO for all your software
Key & Token Hygiene
- ·Rotate API keys and tokens on a regular schedule
- ·Rotate immediately when employees with access leave
- ·Regularly audit the scope of existing API keys
- ·Downgrade to read-only access where full access isn't needed
Access Auditing
- ·Regularly audit who has access to your accounts
- ·Remove access for former employees and contractors promptly
- ·Audit browser extensions being used by employees
- ·Limit admin-level access to people who truly need it
Vulnerability Reporting
- ·Found a security issue? Report it to security@fulfil.io
- ·We maintain a responsible vulnerability disclosure program
- ·Every report is taken seriously and investigated promptly
FAQ
Security questions. Answered.
Is Fulfil SOC 2 Type II compliant?
Where is my data hosted?
Can I export my data if we leave Fulfil?
Does Fulfil support SSO and 2FA?
Does Fulfil support GDPR compliance?
How do I report a security vulnerability?
Does Fulfil go through regular security audits?
Questions about security?
Our team can walk you through it.
We're happy to share compliance documentation and discuss our security practices.