Your notes, specs, and team knowledge live on HackMD. That’s a responsibility we take seriously, and one we don’t think you should have to take our word for. 🔐

That’s why we’re glad to share that HackMD is now SOC 2 compliant, having completed our System and Organization Controls (SOC) 2® Type II examination: an independent assessment of our controls relevant to security.

What a SOC 2 examination actually is

SOC 2 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). In a SOC 2 examination, an independent CPA firm assesses a service organization’s controls against the AICPA’s Trust Services Criteria. That covers things like access management, change management, incident response, and data protection practices.

The outcome isn’t a badge we printed for ourselves. It’s a detailed report, prepared by Johanson Group LLP, describing our systems and the controls we have in place. And because this is a Type II report, it covers how those controls operated over a period of time, not just a single point-in-time snapshot.

Why we did this

HackMD has always been a place where teams work on things that matter: internal docs, RFCs, research, meeting notes, and increasingly, the living context documents that feed AI workflows. As more teams bring that work to HackMD, including enterprises with formal vendor security reviews, “trust us” isn’t a good enough answer.

A SOC 2 report gives your security team something concrete to evaluate. It shortens vendor reviews, answers due-diligence questionnaires before they’re asked, and holds us accountable to practices we’d want to follow anyway.

What this means for you

For most users, nothing changes day to day. And that’s the point. The examination assesses the controls already operating behind the editor you use: how we manage access to production systems, how changes ship, how we monitor for and respond to incidents, and how we protect the data you store with us.

For teams evaluating HackMD, it means there’s now an independent report you can review as part of your security assessment.

How to request our SOC 2 report

Because the report contains detailed information about our security posture, we share it under a non-disclosure agreement. To request a copy, reach out to our team at support@hackmd.io and we’ll get the process started.

Security is a practice, not a milestone

Becoming SOC 2 compliant isn’t the finish line. It’s a commitment to keep operating this way, and to keep demonstrating it. We’re committed to keeping security and trust at the forefront as HackMD grows.

Thank you for trusting HackMD with your team’s knowledge. We don’t take it lightly.

Stay tuned for more and don’t hesitate to share your thoughts with us in our Discord. 💜