All articles

Security and compliance roundup

4 min. read

Passbolt team

Passbolt team

14 February, 2022

As Douglas Adams famously said: “I love deadlines. I like the whooshing sound they make as they fly by”. Spring is (hopefully) soon upon us, and yet we almost forgot to let you know about some of the last few months achievements on the security front. Let’s fix that.

SOC2 Type II

First off, we are very pleased to announce that thanks to a company-wide effort, we have successfully completed our SOC2 Type II audit. SOC2 is a well established and recognized standard of information security compliance.

SOC 2 Type II logo with criteria categories
Fig. 1 SOC2 logo with criteria categories

SOC was developed by the American Institute of CPAs (AICPA) and used by companies all over the world, including European companies like us. This compliance framework allows third-party auditors to validate our internal controls with respect to information security.

To obtain our audited SOC 2 Report, a third-party auditor, Johanson Group LLP, reviewed our internal controls through a series of around 120 tests. Such internal controls include the reviews of policies, procedures and infrastructure regarding many critical areas of our business such as data security, firewall configurations, change management, logical access, backup and disaster recovery, security incident response and many more.

A SOC2 Type II report is very similar to the Type I report but with a few significant differences. To prove Type II compliance an organization must undergo rigorous auditing over a longer period of time. While Type I is more of a temperature check at a given time, Type II focuses on making sure such controls are implemented consistently over time and is therefore generally done on an annual basis.

This audit is just one of the steps we are taking towards security transparency and compliance. We are obviously committed to continually improving our information security program and retaining an annual SOC 2 audit.

In accordance with SOC recommendations, an NDA is required to review our Audited Report. This report can be obtained by companies that are Passbolt customers by contacting us on regular customer support channels.

Code and Infrastructure security audits

As you may have seen in the release notes or this blog, in the course of 2021 Cure53 performed a series of six audits in order to provide a 360 degree review of the passbolt ecosystem as a whole. Each audit involved several security researchers and each lasted for about a week.

Number of security issues fixed in 2021 grouped by criticality
Fig. 2 Number of security issues fixed in 2021 grouped by criticality

The first audit focused on the overall security model (e.g. passbolt security whitepaper) and was discussed in a dedicated blog post. The second and third audits were already published last year and covered the Web Extension and the API both didn’t contain any major issues.

The fourth one aimed at reviewing the infrastructure of passbolt cloud. As you may know passbolt cloud is hosted in the Google Cloud datacenters in Belgium. For security reasons this report is not public, but long story short, no major issue was found, only hardening suggestions. These suggestions have been implemented during the course of the summer.

The fifth audit focused once again on the extension, concerning the new “in-form integration” and “password generator” functionalities which were rolled out last fall. Our goal was to make sure that these two new sensitive features didn’t include critical design issues at launch time.

Finally, the sixth and final report published in December, focused on the beta version of the mobile application and the changes needed on the browser extension and the API side to support the mobile applications (as well as an audit of the community-led project go-passbolt-cli). The details of the findings, which were promptly fixed, have been covered in the last release notes.

Security Made in Europe

Additionally, we are humbled to have been the very first company to be awarded the “Security Made in Europe” label from the The European Cyber Security Organisation (ECSO) and to have been awarded the “Made in Luxembourg” label from the Luxembourg chamber of commerce.

Cybersecurity Made in Europe logo
Fig 3. Cybersecurity Made in Europe logo

While there are not many european level certifications around security we welcome efforts in this direction. We are planning to apply for an ANSSI certification and its European equivalent as soon as it will become available. We will also start the groundwork for the next steps: ISO/IEC 27017 and 27001 certifications. We are excited to get started on these journeys and will keep you posted on our progress.


Security is a very humbling discipline. There is always something new to learn or discover. There is always something to improve or something that could have been done better.

This is how we approach these audits and certifications. Rather than a quick one stop shop rubber stamp, our goal is to continue working with security researchers and auditors and give them more time to dig deeper into a topic to bring back new interesting learnings for our team. It is a marathon not a sprint.

We hope that these recent combined efforts demonstrate our philosophy with regards to security and how much we value the trust of the passbolt community as a whole. Thank you for your renewed trust and support.

As always the team is available on the community forum or at [email protected] for any questions you may have.