Three Times the Scrutiny, Zero Exceptions

A gallery's client list. The provenance trail of a seven-figure acquisition. Insurance valuations for a private collection. Customs declarations crossing three borders before an art fair opens. Fine art logistics generates sensitive data at every stage and the question for any organization handling that data is not whether security measures exist. The question is whether anyone independent has verified them.

In brief:

• Audit scope tripled: Security, Availability, and Confidentiality verified over 12 consecutive months.
• Significantly expanded control set tested across all three criteria with zero exceptions, zero security incidents.
• Review our practices directly on the Trust Center.

What the auditor found

This cycle, the auditor covered three times more ground over three times longer, testing nine additional controls. The result was the same as before: zero exceptions, zero security incidents.

We won't claim this makes us immune because no one is. What it shows is that our commitment is real, structured, and independently verified.

Why Convelio chose to expand the audit scope

The previous certification covered Security alone. For a fine art logistics company handling provenance records, transaction data, and consignment details across 90+ countries, that scope felt insufficient so we decided to extend it.

The renewal now covers Security, Availability, and Confidentiality, each verified over a full operating year. That is the most rigorous observation window the SOC 2 framework offers.

What changed in Convelio's security posture

Encrypted disaster recovery across regions

Your data is replicated across geographically separated regions, with identical encryption and access controls. If one region goes down, the other is already running. Designed to minimise switchover time and protect the continuity of your records.

Real-time threat interception

A Web Application Firewall now operates in front of all client-facing services, identifying and blocking known attack patterns before they reach your data. The system is designed to identify and block known threats before they reach your data.

Security-hardened infrastructure by default

Deployment code enforces a strict security template automatically across every server and container. Consistent, documented, and verifiable with every new deployment.

Two new trust service criteria verified

The previous audit covered Security alone. This cycle added two more, each directly relevant to how fine art logistics data is handled.

Availability. The audit confirmed continuous system capacity monitoring, tested disaster recovery procedures, and protection against service disruption. Recovery plans are tested annually. The backups they depend on are independently verified.

Confidentiality. Data is encrypted at the storage block level, in transit, and at rest. Retention policies govern how long data is kept, and secure disposal procedures ensure proper removal when records are retired. Protection applies through the entire data lifecycle: from quote request to record retirement.

What SOC 2 Type II verifies and what it does not

A SOC 2 Type II audit verifies that controls are designed correctly and operated effectively throughout the observation period. The auditor reviewed penetration test reports, disaster recovery test results, backup configurations, insurance policies, and exit procedures.

SOC 2 covers Convelio's controls specifically. As with any compliance framework, it works best when complemented by each organization's own security practices.

Questions to ask when evaluating an art logistics partner

If you are conducting due diligence on a fine art provider, consider:

• Has their security posture been verified by an independent auditor, and over what period?
• Does the audit scope cover availability and confidentiality, or security alone?
• Can you review their compliance documentation without requesting it?
• Are security responsibilities formalised in the service agreement?
• Do they carry cyber insurance?

These are the questions Convelio's SOC 2 Type II renewal addresses.

Trust Center: review our security practices on your terms

Convelio launched a Trust Center where clients and prospects can consult security policies, compliance documentation, and operational status directly.

"Protecting the data behind every shipment is as fundamental as protecting the work itself. This renewal reflects that principle." — Edouard Gouin, CEO and co-founder of Convelio

The Trust Center is available now. Review Convelio's security posture, compliance status, and policies at any time.

Visit the Trust Center | Get in touch with our team