We have news we're proud of, news that we hope will change the way you evaluate the tools you entrust with your organization's data: Aidi has officially achieved its SOC 2 Type II examination.
This isn't a badge we slap on a website. It's the result of months of rigor, a deep rethinking of our practices, and a genuine commitment to the public organizations that trust us with their project data.
In this post, we'll explain what it means, how we experienced it, and most importantly, why it should matter to you.
What is SOC 2 Type II — and why is it different from other compliance frameworks?
SOC 2 is an independent audit standard developed by the AICPA (American Institute of Certified Public Accountants). It evaluates whether an organization has put effective controls in place to protect the security, availability, confidentiality, and privacy of its customers' data.
The critical difference between Type I and Type II comes down to one word: time.
A SOC 2 Type I says: "At this specific point in time, the controls exist."
A SOC 2 Type II says: "Over a period of several months, these controls were consistently applied, and an independent auditor verified it."
Our SOC 2 Type II report contains zero exceptions. That means every single one of our controls performed as designed, without deviation, throughout the entire observation period.
"Achieving SOC 2 Type II is the culmination of a year-long transformation. We had to rethink our business from top-to-bottom in order to incorporate security at every level and department. Ultimately, our job was to build a culture where security is a habit."
— Cydrick Trudel, CISO, Aidi
What we actually built — and what it took
Achieving this attestation was not a weeks-long project. It was an organizational transformation. Here's what it involved in concrete terms:
27 policies formalized and documented, covering everything from access management to disaster recovery procedures, vulnerability management, and employee awareness.
88 controls designed, implemented, and maintained over time. Each control mapped to a specific criterion within the SOC2 framework.
128 evidence tasks collected and submitted to the auditor to demonstrate that each control was genuinely operating throughout the entire examination period.
"At first, we underestimated the scope. When we realized what 'demonstrating operational effectiveness' actually meant, we had to rethink several processes. But that's precisely where the real value lies: we didn't do this for the auditor,we did it for our clients."
— Cydrick Trudel, CISO, Aidi
Automation played a key role. Rather than manually collecting evidence each time, our team built automation mechanisms so that compliance is continuous and repeatable for years to come.
"This project was part of our strategic objectives for the year. This wasn't just another item we slipped into our roadmap. We made a deliberate choice to concentrate our energy here rather than on other opportunities of higher visibility . But we felt it was the most important thing we could do for our clients. The security of their data is non-negotiable."
— Marc Parenteau, CEO, Aidi
What it actually means for you
For a CEO or CTO in the public sector, entrusting your data to a SaaS vendor is an act of trust, and a responsibility. Here's what Aidi's SOC 2 Type II attestation delivers directly to you.
Verifiable proof, not a promise The attestation is not a self-declaration. It is the result of an independent audit. You don't have to take our word for it, a CPA-accredited third party has verified it on your behalf. And in our case, with zero exceptions in the report.
Rigorous coverage of the core trust criterion Our examination is anchored in the Security Trust Service Criteria. As the foundational pillar of data protection, it maps directly to the legitimate concerns of public organizations managing sensitive data across infrastructure and construction projects.
Data hosted exclusively in Canada All your data, databases and files, resides in the AWS ca-central-1 region in Montreal, Quebec.
Ongoing compliance, not a one-time effort SOC 2 Type II is not an exam you take once. We are committed to renewing this attestation annually. It is a discipline embedded in our operations, not an exceptional effort.
"Our clients are asking increasingly specific questions about security. The SOC 2 Type II attestation now lets us answer them with a formal audit report, not just words. That's a fundamental shift in the conversation."
— Alexis Ragusich, Director of Operations, Aidi
Why organizations should require it — from all their vendors
Here's an uncomfortable reality: the majority of cyberincidents affecting organizations don't come from the inside. They arrive through doors that organizations leave open at their vendors.
A project management platform holds strategic information: schedules, budgets, proposals and contracts as well as communications between teams and contractors. If that platform doesn't meet verifiable security standards, your organization bears the risk.
SOC 2 Type II should be a minimum requirement in any RFP for a SaaS platform handling sensitive data. Here's why:
It makes security auditable. You're not asking the vendor whether they're secure, you're asking for proof that someone independent verified it over a meaningful period of time.
It protects your accountability. By requiring this attestation, you demonstrate that you exercised reasonable due diligence in selecting your vendors. An important protection in a public governance context.
It aligns incentives. A vendor who maintains their SOC 2 Type II attestation has every reason to keep their controls active, since they will be re-audited every year. It's not a one-time commitment, it's a culture.
It speaks the same language as privacy legislation. Compliance with privacy protection laws is an obligation for public organizations. SOC 2 Type II is not a substitute for those obligations, but the two align naturally: a vendor that has achieved a SOC 2 Type II attestation has already put in place the mechanisms that support your own compliance posture.
"What we're seeing more and more is that our clients must themselves demonstrate rigor to their boards, auditors and various stakeholders. When they can include us in their vendor files with a zero-exception SOC 2 Type II attestation, it lightens their own compliance burden."
— Alexis Ragusich, Director of Operations, Aidi
Our ongoing commitment
Achieving the attestation was the first step. Maintaining it is our permanent commitment.
We are already preparing our renewal for the coming year. Our team continues to automate evidence collection, improve our controls, and stay ahead of emerging threats, including in the context of AI integration within our operations and product.
Security is not a state. It is a practice.
"My goal is not only to maintain our SOC 2 Type II commitments, but to ensure our security program scales with our growth. Every new client, every new feature must meet the same standards. That's non-negotiable."
— Cydrick Trudel, CISO, Aidi
Visit our Trust Center
Want to review our SOC 2 Type II report, learn more about our security controls, or request documentation? Everything is available on our Trust Center: https://trust.aidi.io
Because trust is earned, and proven.
