Skip to main content

Is Harmony SOC 2 Compliant?

Harmony has completed a SOC 2 Type 1 independent service auditor’s report.

The report is for Harmony Global Inc and is dated March 15, 2026. It covers controls relevant to the Security, Confidentiality, and Availability trust services categories.

Quick answer

Harmony has completed SOC 2 Type 1 as of March 15, 2026, for Security, Confidentiality, and Availability.

Harmony should not be described as SOC 2 Type 2 certified unless and until a Type 2 report is completed.

What SOC 2 means

SOC 2 is an independent audit framework for service organizations. It evaluates controls related to customer data and service delivery.

Harmony’s SOC 2 Type 1 report covers:

  • Security: Controls that protect systems and data from unauthorized access, unauthorized disclosure, and damage.
  • Confidentiality: Controls that protect information designated as confidential.
  • Availability: Controls that support system availability for operation and use.

Type 1 vs Type 2

SOC 2 Type 1 and SOC 2 Type 2 are closely related audit standards, but they serve distinct purposes and should not be used interchangeably.

A SOC 2 Type 1 report examines whether a company’s controls are appropriately designed and in place as of a specific date—it is a “snapshot” assessment taken at a single point in time. This means the audit evaluates the existence and design of relevant security, confidentiality, and availability controls, but it does not review how well those controls are maintained or operated over an extended period.

In contrast, a SOC 2 Type 2 report takes a deeper approach by assessing not only whether controls are effectively designed but also whether they are operating as intended over a sustained period, typically spanning several months. The Type 2 audit provides evidence that the controls are consistently followed and remain effective through real-world service operations, rather than just at a single audit date.

Understanding this distinction is important: Type 1 demonstrates initial control design and implementation, while Type 2 demonstrates ongoing operational effectiveness across an audit window.

Harmony’s current completed report is Type 1.

What the report proves

The report confirms that:

  • Harmony completed an independent SOC 2 Type 1 audit.
  • The report is dated March 15, 2026.
  • The audited entity is Harmony Global Inc.
  • The report covers Security, Confidentiality, and Availability.
  • The audit evaluated controls at a point in time.

The report does not prove that Harmony has completed SOC 2 Type 2, is ISO 27001 certified, is HIPAA certified, or that every customer deployment has identical configuration, retention, integrations, permissions, or data residency.

Requesting the report

Customers who need the SOC 2 Type 1 report for vendor review should request it through their Harmony account team or the security contact used for vendor-security requests. SOC 2 reports are usually shared under appropriate confidentiality terms rather than published openly.

Other compliance questions

SOC 2 is separate from GDPR, HIPAA, ISO 27001, AI provider retention, and data residency. Answer those questions from the current privacy policy, data processing agreement, contract, and security documentation rather than inferring them from SOC 2.

Use precise wording such as:

  • "Harmony has completed SOC 2 Type 1."
  • "Harmony’s SOC 2 Type 1 report is dated March 15, 2026."
  • "The report covers Security, Confidentiality, and Availability."

Avoid unverified claims such as:

  • "SOC 2 Type 2 certified."
  • "ISO 27001 certified."
  • "HIPAA compliant."
  • "Fully GDPR compliant" without linking to the current legal basis and DPA.
  • "All data stays in the EU."
  • "No data ever leaves customer infrastructure."