---

Our Journey to SOC 2 Type II Compliance

At Loan Originator Networks (LON), trust is fundamental to everything we build. As a platform embedded in core mortgage workflows, we handle sensitive loan, borrower, and financial data on behalf of banks, lenders, and brokers. From day one, we have treated security and reliability as first-class product requirements—not afterthoughts.

Achieving SOC 2 Type II compliance is an important milestone in that commitment and reflects how we operate every day.

---

What SOC 2 Type II Means

SOC 2 is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) to evaluate how service organizations protect customer data. A Type II report goes beyond policy design and verifies that controls are operating effectively over a sustained period of time.

For our audit, Loan Originator Networks was evaluated against the Security, Availability, and Confidentiality Trust Service Criteria. These criteria focus on protecting systems from unauthorized access, ensuring platforms remain available and resilient, and safeguarding sensitive information throughout its lifecycle.

SOC 2 Type II demonstrates that these controls are not only documented, but consistently followed in real-world operations.

---

Laying the Foundation: A More Controlled AWS Environment

Our SOC 2 journey began at the start of the year with a deliberate infrastructure decision: migrating to a more tightly controlled AWS environment. This step allowed us to standardize how infrastructure is deployed, monitored, and secured, while enforcing least-privilege access and centralized logging across our systems.

By strengthening our infrastructure baseline first, we ensured that security controls could be applied consistently and audited reliably as the company continued to grow.

---

Formalizing Controls with Drata

With infrastructure in place, we implemented formal SOC 2 controls using the Drata compliance automation platform. Drata helped us translate our existing practices into clearly defined policies and measurable controls, while continuously collecting evidence directly from our systems.

This phase required coordination across engineering, operations, and leadership. Policies were written to reflect how LON actually works, and controls were embedded into day-to-day workflows rather than treated as one-off compliance exercises.

---

The Type II Audit Period: July 15 – October 15

The core of SOC 2 Type II is the observation period. From July 15 through October 15, our controls were tested in live production conditions. During this time, evidence was gathered continuously and reviewed by our independent auditor, Sensiba, to confirm that controls related to security, availability, and confidentiality were functioning as designed.

Successfully completing this three-month audit window validated that our controls are operational, repeatable, and consistently enforced.

---

What This Means for Our Customers

SOC 2 Type II compliance provides independent assurance that Loan Originator Networks operates with disciplined, mature security practices. For our customers and partners, this translates into greater confidence during vendor reviews, smoother onboarding with banks and investors, and clearer visibility into how sensitive data is protected.

Most importantly, it reinforces our long-term approach: security is not a single project or certification, but an ongoing responsibility.

---

Looking Ahead

SOC 2 Type II is a milestone—not a finish line. We will continue to monitor, refine, and improve our controls, undergo annual audits, and maintain transparency through our Trust Center.

We are proud of the work our team has done to reach this point and grateful to our customers and partners who trust us with their data.

---

To learn more, visit our
👉 Trust Center

For additional questions or documentation, please
👉 Contact Us