Trust Center

We care about your data. At Lukka, we invest both our time and capital to make sure that you can trust our products. This is challenging and requires constant attention, but our goal is to manage the risk associated with our products so that we can enable you to focus on your business and not on the reliability or quality of our products. We strive to add the frameworks that you care about and want your feedback.

AICPA SOC Reports

AICPA SOC Reporting

AICPA SOC reports serve an important role in the management of Service Organization (or vendor) risk. The AICPA independently sets the standards associated with SOC Audits. Typically annually, an independent auditor conducts SOC audits using this framework of a Service Organizations controls – these conclude with a report describing the results of the audit. This helps any organization that is using a Service Organization as a vendor to rely on these reports to mitigate risks associated with the products that they are using.

Service Organization Company. This is a term used to describe vendors in a standards framework that is governed by the American Institute of Certified Public Accountants (AICPA).

 

 

A SOC 1 Report is the result of an audit of controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting. In short, if our products produce financial calculations, you want us to have this report created by a reputable auditor.

 

 

A SOC 2 Report is the result of an audit of the controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy risk domains. Not every SOC 2 includes all of these, so make sure to check for which are relevant to your business and that you ask for the report to ensure it has what you need.

 

 

This is very important to understand: Both Type 1 and Type II audits “report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description”. However, a Type I is “at a specific date”, so usually faster, less costly, and gives you much LESS assurance that controls are working. In contrast, Type II is conducted “throughout a specified period”, so is more comprehensive (during a Type II audit, the controls are verified to be working over a period in order to ensure they are working consistently). Type II reports typically take longer and are more costly to conduct, but the result is more mature controls. Lukka only conducts Type II audits for BOTH SOC 1 and SOC 2 reports.

 

 

12 Month Period
Updated Annually

SOC I Type II

SOC 1 Type II

Lukka was the first company serving the crypto industry to perform an AICPA SOC 1 Type II audit in 2018 and then a SOC 2 Type II in 2019. Read more about how we invest in top auditors to look at our technology risk so that you don’t have to.

SOC 1 reports are on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (ICFR). These reports, prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, are specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.

 

 
 

No, they are all custom-tailored to the specific Service Organization and can vary significantly. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.

 

 
 

Lukka conducts both SOC 1 Type II and SOC 2 Type II audits annually. For the portion of the year outside of testing periods, we offer bridge letters to customers upon request.

 

 

SOC 2 Type II

SOC 2 Type II

Lukka was the first company serving the crypto industry to perform an AICPA SOC 1 Type II audit in 2018 and then a SOC 2 Type II in 2019. Read more about how we invest in top auditors to look at our technology risk so that you don’t have to.

Per the AICPA, SOC 2 reports cover controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

 

These reports can play an important role in: 

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight
 
 

No, they are all custom-tailored to the specific Service Organization and can vary significantly. SOC 2 reports specifically may or may not include any of the 5 risk domain areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We recommend asking any Service Organization that you plan on using as a vendor who their SOC auditor is, for a copy of the SOC report, whether it was a Type I or Type II (Type II is strongly preferred), and how many years the Service Organization has conducted SOC audits.

 

 
 
 
Lukka conducts both SOC 1 Type II and SOC 2 Type II audits annually. For the portion of the year outside of testing periods, we offer bridge letters to customers upon request.
ISO/IEC 27001

ISO/IEC 27001

Data is everything to a business and data that you can trust is an incredibly valuable asset to help drive decision making. Data needs to be protected against various risks, whether natural, accidental, or deliberate. In order to manage these risks, an effective information security management system (ISMS) must be established. An ISMS focuses on the people, processes, organizational structures, and systems that help to ensure the security, confidentiality, integrity, and availability of information. To ensure that best practices are in place when implementing an ISMS, an organization should obtain an ISO/IEC 27001 Certification.  ISO/IEC 27001 is one of the most widely recognized and internationally accepted frameworks on information security. It is an auditable standard that provides requirements for the overall management of information security. To receive an ISO/IEC 27001 Certification, an organization must demonstrate to an independent certification body that it has implemented its ISMS in accordance with the requirements outlined in the ISO/IEC 27001 standard. Being ISO/IEC 27001 Certified means that an organization is dedicated to putting risk management first. 
ISO/IEC 27001 Certification Badge

ISO/IEC stands for International Organization for Standardization/International Electrotechnical Commission. ISO/IEC is a joint committee that issues the ISO/IEC 27000 family of standards. Out of the dozen standards in the 27000 family, ISO/IEC 27001 is the world’s best known standard for information security management systems.

ISO 27001 Certifications can only be issued by organizations, called certification bodies, which are entities licensed by accreditation bodies, to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO/IEC 27001. Lukka’s ISO/IEC Certification was issued by an independent organization called the British Standards Institution (BSI).

 

BSI was the world’s first National Standards Body and was a key player in the formation of other standards bodies. In 1995, BSI originally published BS 7799 to provide a comprehensive set of controls comprising best practices in information security. In October 2005, BS 7799 was revised and updated to what is now recognized as ISO/IEC 27001.

Cloud Providers

ISO/IEC 27001

Lukka systems operate on AWS cloud platforms allowing for agility and instant elasticity in the most stable and secure environments available today.   AWS Cloud systems power hundreds of thousands of businesses in 190 countries around the world with world-class data center locations in the U.S., Europe, Brazil, Singapore, Japan, and Australia.  
Lukka Prime Governance

Lukka Prime Governance

Lukka Prime is a pricing and valuation pricing data service that utilizes a proprietary methodology designed for the unique characteristics of the crypto ecosystem. The methodology is designed to align to guidelines such as those described under IFRS and US GAAP, which specify generally accepted rules for making a determination of Fair Market Value (FMV) for an asset that is exchanged in liquid markets. In addition to Lukka Prime utilizing this methodology, it is governed transparently and has clearly defined standard operating procedures. The governance structure provides for regular oversight by qualified senior members of the Lukka organization and all changes to the methodology or inputs are conducted in a controlled manner that is recorded for audibility. Procedures are both automated and managed by a team of data professionals that manage mechanisms to handle escalations and other inquiries with a focus on data quality, reliability, consistency, preserving independence, preventing conflicts of interest, and ensuring detailed audit logs. The Lukka Prime Pricing Integrity Manual is available upon request to users of Lukka Prime as are other attestation reports such as Lukka AICPA SOC 1 Type II and SOC 2 Type II reports.

Trusted By

…and hundreds more businesses.