PMWEB Achieves SOC 2 Type 2 Certification

PMWEB, the strategic control center for capital program owner-operators, has achieved SOC 2 Type 2 certification following a rigorous independent audit evaluating the design and sustained operating effectiveness of its security controls over an extended period.

This milestone follows PMWEB's December 2025 announcement of SOC 1 Type 2 and SOC 2 Type 1 compliance, completing the full SOC audit cycle.

What SOC 2 Type 2 Means

SOC 2 Type 1 confirms that the right controls exist. SOC 2 Type 2 confirms that those controls work consistently, over time, under independent scrutiny.

Where the Type 1 report validated the design of PMWEB's security framework, the Type 2 certification validates its operational effectiveness across the Trust Services Criteria:

• Security: protection against unauthorized access and threats
• Availability: reliable system performance and uptime
• Processing Integrity: Complete, accurate, and authorized processing

For owner-operators managing complex capital programs, this distinction matters. SOC 2 Type 2 is the standard auditors, procurement teams, and compliance officers recognize as the highest level of independent assurance.

What This Means for Customers

Enterprise organizations in aviation, healthcare, education, government, finance, and real estate infrastructure operate in some of the most regulated and scrutinized environments in the world. PMWEB's SOC 2 Type 2 certification provides:

• Third-party validated assurance that project data is protected by controls that have been tested, not just documented.
• Audit-ready documentation to support internal compliance reviews, vendor assessments, and regulatory reporting requirements.
• Consistent operational reliability backed by an independent auditor's review of how controls performed over the full audit period, not just a point in time.

The Controls Behind the Certification

PMWEB's security architecture is purpose-built for the sensitivity of capital project data. The controls evaluated in the SOC 2 Type 2 audit include:

• Access and Authentication: Role-based access controls with granular permissions, multi-factor authentication, and SSO support via SAML 2.0 and LDAP.
• Encryption and Data Protection: TLS 1.2+ with 2048-bit certificates for data in transit and AES-256 encryption for data at rest, with multi-region encrypted backups.
• Monitoring and Logging: Continuous system and security monitoring, comprehensive audit logging for authentication events and user actions, retained and protected from tampering.
• Governance, Risk, and Compliance: Documented incident response, alignment with NIST, ISO 27001, and OWASP standards, quarterly vulnerability scans, and annual penetration tests.
• Business Continuity: Fully documented and annually tested business continuity and disaster recovery plans.

A Sustained Commitment to Enterprise-Grade Trust

PMWEB continues to strengthen its control environment, expand its audit scope, and invest in the monitoring and resilience infrastructure that world-class capital program organizations require.

For more information about PMWEB's SOC reports and security practices, contact us.