Skip to content
Magma Devs
Back to blog
Company News·July 16, 2026·6 min read

Magma Devs Is Now SOC 2 Type II Compliant and ISO 27001 Certified

Magma Devs has completed its SOC 2 Type II audit with a Big Four firm, with zero exceptions noted, and is certified to ISO/IEC 27001:2022. What both cover and how to request the report.

By Magma Team

Magma Devs Is Now SOC 2 Type II Compliant and ISO 27001 Certified

Magma Devs has completed a SOC 2 Type II examination, conducted by a Big Four audit firm, covering the security of the Smart Router platform. The auditors tested our controls in operation and noted zero exceptions. Alongside it, we achieved certification to ISO/IEC 27001:2022, the international standard for information security management systems.

Together, the two cover the security assurance frameworks most vendor reviews ask for, in both North American and international markets.

Why we did this

SOC 2 comes in two forms. A Type I report checks that controls are well designed at a single point in time. A Type II report goes further: an auditor tests that the controls operated effectively over a sustained period. We chose Type II.

The auditor matters as much as the report type: a SOC 2 report is only as credible as the firm that signs it. We engaged PwC, one of the Big Four and among the most recognized audit firms in the world. Our clients are often audited by the Big Four themselves, so the signature on our report is one their auditors and regulators already accept.

We did this because of who our clients are. Smart Router sits in the critical path for custodians, exchanges, and security platforms: teams like Fireblocks, Kraken, Galaxy, and Hypernative, with more than $8T in activity across client platforms. These companies are among the most heavily audited in crypto and require independent verification of their vendors' security.

Tal Bar David, CEO of Magma Devs
"For us, SOC 2 Type II and ISO 27001 are practical business decisions: they reduce the time between a client's first evaluation of Magma and the moment Magma runs in production. The most demanding teams in the industry already trust our infrastructure; now we have the independent proof to support that trust."
Tal Bar David· CEO, Magma Devs

What this means if you are evaluating us

Vendor security reviews are slow: questionnaires with hundreds of items, follow-up calls, evidence requests, internal approvals. A SOC 2 Type II report replaces most of that process with a single document:

  • Fewer questionnaires. The report answers most standard questionnaire items with evidence tested by an independent auditor.
  • Shorter procurement. One attested report instead of weeks of evidence collection and review cycles.
  • Evidence your auditors accept. A Type II report from a Big Four firm fits directly into your third-party risk management program.

What the audit covered

The examination covered the SOC 2 Security trust services criteria for the Smart Router platform, including:

  • Access control: restricted, need-based access to production infrastructure, logged and reviewed
  • Infrastructure security: hardening, redundancy, and replication across multiple availability zones
  • Monitoring and incident response: continuous monitoring, alerting, audit logging, and formal response playbooks
  • Change management: controlled, reviewed changes to production systems
  • Personnel and vendor security: confidentiality agreements, security awareness training, and security commitments required of IT vendors and partners

Every control tested was reported with no exceptions noted.

The ISO 27001 certification

ISO/IEC 27001 is the leading international standard for running an information security management system (ISMS): the policies, processes, and controls an organization uses to manage security risk continuously. Where SOC 2 attests to how controls operated over a period, ISO 27001 certifies the management system that keeps them operating.

Our certification covers ISO/IEC 27001:2022, the current version of the standard. The scope is end to end: design, development, testing, documentation, and hosting of our infrastructure products, including source code management and infrastructure provisioning, as well as the sales and business development activities that handle prospect and client information. If your review requires ISO 27001, either instead of or in addition to SOC 2, we now meet it.

What we never touch

An audit shows our controls work. Our architecture shows something equally important: how little sensitive data there is to protect. By design, Magma Devs does not store or manage:

  • Customer private keys or seed phrases
  • Wallet secrets or customer funds
  • Payment card data, PHI, or sensitive end-user personal data

We do not sign transactions and have no access to customer signing infrastructure. Smart Router processes only the RPC traffic itself: requests, responses, and routing metadata, much of which is public blockchain data. A routing layer that cannot access keys or funds is a far smaller risk surface. Teams that want maximum control can deploy Smart Router on-prem or from open source; the SOC 2 report extends the same assurance to our managed offering.

This is an ongoing program

SOC 2 Type II reports cover a defined audit period, and ISO 27001 certification requires regular surveillance audits and recertification. We will maintain both, alongside the security engineering in the product itself (RPC Security).

How to request the report

Existing customers: contact your account team. Prospects: contact us or visit our Security & Compliance page. We typically deliver the SOC 2 report and ISO 27001 certificate within one business day.


Need the report for your vendor review? Talk to our team. We will send the report and answer your security team's questions about the architecture.

How exposed is your RPC stack?

Take the 2-minute Secure RPC Assessment and get a personalized risk report.

Run the assessment

Frequently Asked Questions