SOC 2 Type II report

1. The framework

SOC 2 (Service Organization Control 2) is the AICPA's framework for evaluating the security and availability controls of service organizations. Type II means the auditor evaluated the operating effectiveness of those controls over a period of time — in our case, 12 months — not just their design.

Five trust-services criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. We are evaluated against all five.

2. Scope of evaluation

Schellman evaluated:

• Custody systems (hot wallet, cold storage signing infrastructure, multi-sig procedures)
• Identity and access management (employee accounts, customer KYC, MFA enforcement)
• Network infrastructure (perimeter, segmentation, intrusion detection)
• Application security (code review, secrets management, deployment pipeline)
• Operational practices (incident response, on-call rotation, change management)
• Data handling (encryption at rest and in transit, data retention, deletion)
• Vendor management (third-party risk assessment, ongoing monitoring)

3. Auditor's opinion

"In our opinion, in all material respects, the controls of bitexasia were suitably designed throughout the period 2025-02-01 to 2026-01-31 to provide reasonable assurance that the service commitments and system requirements would be met based on the trust-services criteria for security, availability, processing integrity, confidentiality, and privacy. We further opine that those controls operated effectively throughout that period."

This is an unqualified opinion — SOC 2 nomenclature for "no material exceptions." Three minor observations are noted in the management response section.

4. Observations and management response

Observation 1: Quarterly access reviews

Finding: 2 of the 4 quarterly user-access reviews completed within the policy-defined 30-day window. The other 2 took 34 and 41 days respectively.

Management response: Automation built in 2025-Q4 reduces review time from average 32 days to 11. Subsequent reviews completed within the window.

Observation 2: Penetration test cadence

Finding: Pen test scheduled for late Q3 was rescheduled to mid-Q4 due to vendor capacity, exceeding the 90-day policy gap.

Management response: Vendor diversification and earlier scheduling for 2026 cycle. Q4 2025 test completed; report (Trail of Bits) is in the audit archive.

Observation 3: BCP test scope

Finding: Annual business continuity test exercised the matching engine but did not exercise the withdrawal-rail failover scenario.

Management response: Q1 2026 BCP test included withdrawal-rail failover; passed. Annual BCP test scope expanded by policy.

5. Availability

Service-level metrics measured during the engagement period:

• Matching engine uptime: 99.992% (target: 99.95%)
• Public REST API uptime: 99.992% (target: 99.9%)
• WebSocket streams uptime: 99.987% (target: 99.9%)
• Withdrawal rail uptime: 99.91% (target: 99.5%)

All availability targets met or exceeded. Live and historical SLA metrics are tracked publicly on the status page.

6. Full report and contact

The full SOC 2 Type II report (~95 pages including detailed control descriptions and test results) is available under NDA to enterprise customers, regulators, and qualified institutional partners. Request via audits@bitexasia.com with company name and intended use; response within 5 business days.