Software

Sturdy announces SOC 2 Type II security compliance certification

By
Joel Passen
July 11, 2022
5 min read

It's official: Announcing our SOC 2 Type II Report

Shortly after launching Sturdy, we started our SOC 2 certification process. A SOC 2 report is for services organizations that hold, store, or process the information of their users. You can read more about it here.

Late last year, we obtained our SOC 2 Type I report. This represents a "snapshot", indicating that we have robust controls in place to ensure the security and availability of our customers' data.

Today, we are announcing that Sturdy has obtained a SOC 2 Type II report. This is the most comprehensive SOC protocol, and attests not only to the suitability of our process and systems, but our operational effectiveness of sticking to those controls over a period of time.

The full writeup describes our suite of controls for securing and handling customer data, including:

  • System monitoring and ongoing risk assessments
  • Internal access control to production environments
  • Disaster recovery, data backup, and incident response processes
  • Communication of changes to customers
  • Employee on-boarding and termination processes
We're proud of this report. It is a reflection of our dedication to security and the product of many months of hard work from our team, particularly Eric Weidner. Our commitment to security is about more than checking a box: every day we make sure that our systems and processes are worthy of the important data our customers trust us with.

Sturdy is a data-centric system of intelligence for post-sales teams. Working with data, including some of our customer's most sensitive information is what we do. We work to earn their trust by putting security and privacy front-and-center. This includes industry-leading controls, data minimization, and a secure-by-design architecture. Perhaps most importantly, we have built a security-conscious culture from Day 1: everyone at Sturdy knows that we solve for security first. You can read more about our processes and approach below.

Security Program

At SturdyAI, the security and integrity of our customer's information is of utmost importance. Therefore, Sturdy has developed and maintains a comprehensive Information Security Management program to manage risks to the security, availability, confidentiality, integrity, and privacy of Sturdy systems and products. Our program has been independently audited and certified to meet the requirements of Trust Services Criteria SOC2 Type II.

Privacy

Sturdy products utilize customer communication data to detect important signals that may have private information included such as names and contact information. To protect the privacy of this information, we maintain policies and processes to comply with data privacy regulations such as CCPA and GDPR and to help our customers comply with their obligations as the controllers of this data. Please see the Sturdy privacy policy for more information on data privacy practices and controls.

Infrastructure

Sturdy utilizes Amazon Web Services (AWS) as the Infrastructure-as-a-Service hosting provider. All data stored in AWS data centers located in the United States. Communications into our services are encrypted-in-transit and data is stored encrypted-at-rest using industry standard encryption mechanisms. Web application firewalls and network management tools such as VPC's, private subnets, and security groups are used to manage the flow of information and access between services. Infrastructure services are defined, managed, and deployed with Infrastructure-as-Code orchestration tools for consistent and repeatable systems.Tenant data is isolated in separate systems and production systems are kept in restricted access accounts separated from the development environments. 3rd-party penetration testing is conducted annually.

Questions about Sturdy's security program? Contact us at security @ sturdy.ai. 

Similar articles

View all
Customer Churn

The Most Dangerous Threat to CROs

Joel Passen
July 1, 2025
5 min read

The most dangerous threat to CROs doesn’t live in the opportunity pipeline.

It's churn.

  • It doesn’t scream like a missed quarterly pipeline goal.
  • It doesn’t show up in dashboards until it’s too late.
  • It's rarely caught by a generic 'health score'.
  • It's the board meeting killer.

Retaining and growing our customers is the only repeatable, compounding, capital-efficient growth lever left in B2B businesses.

📉 CAC is way up.

📉 Channels are saturated.

📉 Talent is expensive.

📉 Competition is fierce.

📉 Switching costs are low.

The path to $100M used to be “sell, sell, sell.”

Today? It’s “land, retain, expand.”

No matter how strong your sales motions are or how slick your product or service looks during the sales process, if your customers are churning, you’re stuck in a leaky bucket loop of doom.

Every net-new dollar you win is offset by dollars you lose. It's just math.

Yet most GTM orgs still operate like retention is someone else’s problem. "That's a CS thing."

  • The CS team might “own” the customer post-sale.
  • Account Management may own the renewal and growth number.
  • Support is in the foxhole on the front line.
  • RevOps might model churn with last quarter’s data.
  • Marketing might send an occasional newsletter via email.
  • Finance may be leaning in on the forecasting.
  • Product is building things that supposedly the customers want.

But in reality, churn is the CRO's problem. We wear it - or should.

If your go-to-market motion isn’t designed to protect and grow customers from Day 1, you’re not just leaving money on the table — you’re setting fire to it.

Retention and expansion aren’t back-end functions. They’re front-and-center revenue motions.

The most valuable work these days starts after the contract is signed — not before.

We need to stop treating post-live as a department and start treating it as the engine of durable growth.

Software

Have you heard this from your CEO?

Joel Passen
April 29, 2025
5 min read

"How are we using AI internally?"

The drumbeat is real. Boards are leaning in. Investors are leaning in. Yet, too many leaders hardly use it. Most CS teams? Still making excuses.

🤦🏼 "We’re not ready."Translation: We don't know where to start, so I'm waiting to run into someone who has done something with it.

🤦🏼 "We need cleaner data."Translation: We’re still hoping bad inputs from fractured processes will magically produce good outputs. Everyone's data is a sh*tshow. Trust me. 🤹🏼♂️ "We're playing with it."Translation: We have that one person messing with ChatGPT - experimenting.

😕 "Just don't have the resources right now."Translation: We're too overwhelmed manually building reports, wrangling renewals, and answering tickets forwarded by the support teams.

🫃🏼 "We've got too many tools."Translation: We’re overwhelmed by the tools we bought that created a bunch of silos and forced us into constant app-switching.

🤓 "Our IT team won't let us use AI."Translation: We’ve outsourced innovation to a risk-averse inbox.

It's time to put some cowboy under that hat 🤠 . No one’s asking you to rebuild the data warehouse or perform some sacred data ritual. You don’t need a PhD in AI.

You can start small.

Nearly every AI vendor has a way for you to try their wares without hiring a team of talking heads to perform unworldly 🧙🏼 acts of digital transformation.

Where to start.

✔️ Pick a use case that will give you a revenue boost or reveal something you didn't know about your customers.

✔️ Choose something that directs valuable work to the valuable people you've hired.

✔️ Pick something with outcomes that other teams can use.

Pro Tip: Your CEO doesn't care about chatbots, knowledgebase articles, or things that write emails to customers.

What do you have to lose? More customers? Your seat at the table?

CX Strategy

Talent gets you started. Infrastructure gets you scale.

Joel Passen
April 29, 2025
5 min read

We obsess over hiring A-players. But even the best GTM talent will flounder if the foundation isn’t there.

I’ve seen companies overpay for “rockstars” who quit in 6 months—not because they weren’t capable, but because they were dropped into chaos. No ICP. Bad data. No process. No enablement. No system to measure or coach.

Great GTM teams aren’t built on purple squirrels. They’re built on a strong foundation.

That foundation looks like this:

✅ A crisp, written ICP and buyer persona (not just tribal knowledge)

✅ Accurate prospect data to target the right ICP

✅ A playbook that outlines how you win—and how you lose

✅ A clear point-of-view that your team can rally around in every email, call, and deck

✅ Defined stages, handoffs, and accountability across marketing, sales, CS

✅ A baseline reporting system to see what’s working—and what’s not

When this exists, you can onboard faster, coach better, and scale smarter. It's not easy, and it’s not sexy, but it works.

Want to cut CAC and increase ramp speed? Start with your infrastructure. Hire into a structure.

How many customers will you have to lose before you try Sturdy?

Schedule Demo
A blue and gray logo with a black background
A number of different types of labels on a white backgroundA white background with a red line and a white background with a red line andA sign that says executive change and contact request
A white background with a red line and a blue lineA number of different types of logos on a white backgroundA pie chart with the percentage of customer confusion and unhappy
A number of graphs on a white background