RollKall Achieves Third Consecutive Year of SOC 2 Type 2 Compliance with Zero Exceptions
RollKall is SOC 2 Type 2 compliant for the third year in a row with zero exceptions. This post explains what that means in plain language, why it matters for agencies running extra-duty programs, and the security practices behind the platform, including resilient Azure infrastructure, encryption, strict access controls, monitoring, and regular third-party testing.
If you work in public safety, trust is not a nice-to-have. It’s the job. That’s why we’re excited to share something that matters to the agencies and communities we serve:
RollKall has received our finalized SOC 2 Type 2 report, and for the third consecutive year, our independent auditors noted zero exceptions, marking another clean SOC 2 audit.
“Public safety agencies trust RollKall with sensitive operational and financial data every day. Our responsibility is to operate with strong, consistent security controls that stand up to independent scrutiny. SOC 2 Type 2 helps validate that discipline year after year.”
-Chris White, Founder & CEO of RollKall.
What SOC 2 Type 2 Compliance Is
SOC 2 is a widely recognized standard for how a company protects customer data and operates its systems over time. It evaluates controls aligned to the AICPA Trust Services Criteria-most commonly areas like security, availability, and confidentiality-and how consistently an organization follows the controls it commits to maintaining.
SOC 2 comes in two forms that often get confused. The difference is simple: time and evidence.
A SOC 2 Type 1 answers: “Are the controls designed correctly right now?” It’s a snapshot of whether policies and controls exist and are appropriately designed at a point in time.
A SOC 2 Type 2 answers: “Do the controls actually work over time?” It tests operating effectiveness across a continuous period by examining real evidence-things like access reviews, audit logs, security monitoring, incident response records, and change management artifacts.
In other words, it’s not just a promise. It is independent verification that the controls we describe are not only properly designed, but also followed consistently throughout the year.
A simple analogy:
Type 1 is “Show me you built the security system.”
Type 2 is “Show me it worked every day for months.”
What “zero exceptions” means
When auditors say “zero exceptions,” it means that in the samples they tested, the controls they examined operated as described with no noted deviations. It’s strong evidence of consistent security operations and discipline. It’s not a claim that risk is eliminated, but it is a meaningful third-party validation that the controls were followed the way we say they are.
For RollKall, this matters because our platform supports extra-duty programs end to end: scheduling, invoicing, payments, and the workflows that keep officers and administrators moving. When agencies choose RollKall, they’re not only choosing a product. They’re trusting a system.
Why this matters for the agencies we serve
A lot of security talk sounds abstract until you put it in the context of your day-to-day reality.
If you are running extra-duty operations, you’re balancing staffing needs, vendor expectations, payroll realities, and compliance requirements. You should not have to wonder whether your technology partner treats security as an afterthought.
SOC 2 compliance answers that question directly. It is third-party confirmation that RollKall operates with the security and reliability your operations demand.
“Public safety teams already carry enough responsibility. Our job is to reduce risk, not add to it. SOC 2 gives agencies a straightforward, third-party way to see that we’re building and operating with security at the core.”
-Stan Prokarym, CTO of RollKall
A peek under the hood: how we approach data security
SOC 2 is the outcome. The real story is everything we do to make that outcome repeatable.
Here are a few of the practical ways we protect the RollKall platform and the data our customers trust us with.
Built on a resilient cloud foundation
RollKall is cloud-first and hosted on Microsoft Azure, using geographically redundant, U.S.-based infrastructure with built-in redundancy and automatic failover to maintain service availability.
We also maintain frequent automated backups with geographic distribution, providing multiple layers of protection against data loss and service interruption.
Encryption, layered the right way
We use industry-standard encryption to protect your data both in transit and at rest, with additional safeguards to limit exposure of sensitive data within our systems. Where required, we align with applicable federal cryptographic standards.
Tight access controls and strong authentication
Access is one of the most common ways systems get compromised, so we keep it strict:
- Strong authentication requirements and secure network connections are enforced for all system access
- Role-based permissions ensure employees can only access what they need to do their job
- Login safeguards with strong authentication and account protection controls aligned with industry best practices.
- Multifactor authentication options for our public safety agencies, allowing even greater security and risk mitigation.
Monitoring, auditability, and threat detection
We don’t just set controls and hope for the best. We put visibility and alerting behind them.
We maintain continuous monitoring and alerting designed to identify and respond to security and operational issues.
Regular third-party testing and payments security
SOC 2 is not the only validation point. We also perform regular third-party penetration testing, vulnerability assessments, and ongoing PCI compliance activities
On payments: RollKall uses a PCI-certified Level 1 Service Provider, and we complete quarterly PCI scans for our API and portals.
Data minimization by design
We collect and maintain only the data needed to support the platform and verify eligibility where required. We do not treat customer data like a product.
Not a one-time project, a habit
Here’s the part we think matters most. A SOC 2 report is a milestone, but security is a practice.
It shows up in how we build features, how we review changes, how we monitor systems, and how we plan for continuity. It shows up in the boring stuff, too, like audit logs, access reviews, and routine testing. The boring stuff is usually what prevents the headline stuff.
Simply put, good security is quiet, consistent, and repeatable. Our focus is building systems agencies can rely on and proving that reliability through independent validation year after year.
-Chris White, Founder & CEO of RollKall.
What’s next
We’ll keep doing what we’ve been doing:
- investing in the controls that matter
- strengthening operational discipline
- listening closely to what agencies need from a modern extra-duty platform
- and staying transparent about how we protect the data behind the work
If you’re a current customer and want a walkthrough of our security posture, or you’re evaluating RollKall and security is part of your vendor review, we’re happy to help.
