Opus Guard now has SOC 2 Type II, and our Guide to SOC 2 compliance

Nick Wade
September 25, 2025

We are delighted to share that Opus Guard now has it’s SOC 2 Type II attestation. You can see this for yourself in the Opus Guard Trust Center at https://trust.opusguard.com.

When we set out to bring Opus Guard into the enterprise compliance and retention spotlight, we knew that SOC 2 would be part of the journey. For many customers, it’s a gold standard of trust. It’s a formal, audited way to prove that your systems don’t just claim to be secure, but have been tested against rigorous standards in the real world.

"For an app that can delete everything you care about, demonstrating this high level of compliance of our own is incredibly important." -Nick Wade, co-founder and COO, Opus Guard

What we didn’t realize at the start was how much our architectural choices would influence the path. Building entirely on Atlassian Forge, and qualifying for the Runs on Atlassian program, reshaped our experience significantly. Instead of wrestling with server patching, network diagrams, and evidence binders about infrastructure we didn’t actually run, we found ourselves building on a foundation Atlassian had already secured and audited on our behalf.

Opus Guard's Trust Center

What SOC 2 really represents

SOC 2 is often introduced as a compliance checkbox needed for procurement, but it’s really more than that. It’s a solid framework built around the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. And in practice, it forces you to examine how your company operates day-to-day. Everything from how you control access, monitor incidents, handle change management, to even how your people are trained.

For us, SOC 2 is less about producing a report and more about aligning our internal discipline with the trust our customers expect. We are a compliance company at heart, after all. And it made the invisible, like logging and monitoring practices, just as important as the visible, like product features.

Atlassian Forge advantage

Here’s where our story diverges from many SaaS companies before us. Because every Opus Guard application runs exclusively on Atlassian Forge, the compliance boundary shifts in a powerful way. Atlassian already maintains its own SOC 2 attestation over Forge’s infrastructure. That means physical data center security, baseline hardening, environment isolation, and platform-level encryption are already covered and largely conferred upon us.

Our auditors recognized this from the beginning. Rather than forcing us to duplicate Atlassian’s evidence, we mapped their controls to our own. The audit focus then narrowed to the parts we truly own: our code, how we manage access, how we respond to incidents, how our apps process and retain customer content. That clarity turned what could have been a sprawling audit into something leaner and more accurate.

Walking Through the Audit

Preparation still mattered. We spent days defining policies, tightening procedures, and making sure evidence would be available when requested. Choosing an auditor who quickly understood Forge was critical — not every firm is familiar with the way inherited controls work in a platform like this. Once aligned, the process became less about proving the basics of cloud security and more about demonstrating that we were building responsibly within Atlassian’s ecosystem.

The audit period itself was as usual, somewhat intensive. There were walkthroughs, evidence requests, and clarifications. But instead of a drain, it simply felt like validation. We were showing that Forge isn’t just a developer convenience; it’s a compliance advantage.

Lessons in Retrospect

Looking back, a few things stand out. First, designing with compliance in mind from the start paid early dividends. Because we don’t manage our own servers, we don’t carry the weight of explaining how they’re secured. Second, engaging with our auditor early smoothed out what could have been rough terrain. Your auditor will need to know what Atlassian really provides you. And third, transparency is powerful. Sharing the outcome with customers doesn’t check a box; it builds real confidence.

SOC 2 wasn’t the finish line, but it gave us a framework we’ll carry forward — one that shapes how we think about policies, monitoring, and accountability as Opus Guard grows.

What It Means for Our Customers

The result is simple: if you use Opus Guard, you inherit the confidence of a system built on Atlassian’s secure, audited infrastructure, and reinforced by our own SOC 2 Type II audit. Vendor questionnaires become shorter. Trust conversations get easier. And your security team knows the app isn’t standing on shaky ground.

Compliance may sound dry on the surface, but in practice it’s a story about trust. For us, that story is intertwined with Atlassian Forge — and for our customers, that means the confidence that your retention management tools are built to stand up to scrutiny.

👉 Ready to enhance your own compliance by automating your retention policies? Try Content Retention Manager free via Atlassian Marketplace today.

Get started today

Start free now👉  Book a demo

Related posts

Prenez le contrôle de vos données dès aujourd'hui

Commencez gratuitementEn savoir plus