Data breaches can cost a company millions; for this reason, we needed to prove to each and every potential client that our business could be 100% trusted. In other words, we needed to become SOC 2 certified.
Without SOC 2 certification, we knew it would be virtually impossible for our solution to compete in the market — end of story.
Conversely, we knew that if an organization knew that they could trust our team (and we could prove it through SOC 2 certification), then our opportunities would be endless.
With help from Dash, we’re proud to announce that we recently completed our SOC 2 Type 2 audit. Let’s take a closer look at what SOC 2 compliance is, how we obtained certification with Dash, and what this means for our future customers.
What is SOC 2?
- What is SOC 2?
- How We Achieved SOC 2 Compliance With Dash
- SOC 2 Type 1 vs. SOC 2 Type 2
- The Benefits of SOC 2
- Becoming SOC 2 compliant with Dash
In simple terms, SOC 2 represents the colossal amount of time and effort that we’ve spent ensuring that all of our systems, servers, and products remain top-of-the-line when it comes to compliance and security.
Part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control — SOC 2 — reporting framework is a security audit and attestation built specifically for SaaS companies that manage customer data.
Designed to test and provide a report surrounding an organization’s internal security controls, we may now provide our SOC 2 report to potential clients, customers, partners, and other third parties as proof that we have a robust security program in place.
How We Achieved SOC 2 Compliance With Dash
In order to achieve SOC 2 compliance, just like any other organization, we were assessed via an auditing process that measures our adherence to the AICPA’s Trust Services Criteria (TSC).
Now, technically this can be done internally, but as any sane person will tell you, obtaining SOC 2 certification is no walk in the park.
For this reason, we decided to partner with Dash. They worked side-by-side with our team and assisted us from start to finish — literally. Dash helped us put together a security program (in line with the Trust Services Criteria); develop administrative policies; round up all of the necessary documentation and evidence needed for the auditing process — they even provided us with a reputable auditing firm.
As I just used a lot of technical jargon, let’s take a closer look at this process, beginning with the Trust Services Criteria…
Trust Services Criteria consists of the five following categories of criteria, including:
- Security: Protecting against unauthorized access
- Availability: Ensuring the system is available for operation and use
- Processing Integrity: System processing is complete, accurate, timely, and authorized
- Confidentiality: Information designated as confidential is protected as committed or agreed
- Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA (Canadian Institute of Chartered Accountants)
In summary, we had to…
- Implement a security program and all internal security controls required under TSC
- Conduct a SOC 2 Audit with a 3rd party auditor
- And, for a SOC 2 Type 2 Audit, we had to maintain SOC 2 internal controls over a period of time.
As a SOC 2 Type 2 audit is conducted over a 3-12 month period, there is a lot that can go wrong. Thankfully, Dash ComplyOps provided us with their continuous compliance monitoring solution. This was a life-saver as it continually scanned and monitored our entire AWS Cloud environment and notified us regarding any potential compliance issues.
Note: As the auditing process is so vigorous, comprehensive, and all-encompassing, many government, financial, and medical institutions will not even consider working with a provider that hasn’t obtained SOC 2 certification.
SOC 2 Type 1 vs. SOC 2 Type 2
As mentioned, under SOC 2, there are two types of audits and reports — Type 1 and Type 2:
SOC 2 Type I: This type of report focuses on an organization’s system and the design of its security controls related to the Trust Services Criteria (TSC).
A Type 1 evaluation is based on an organization’s description of its service organization system, including the suitability of the design and operational effectiveness of its controls. In other words, its security controls are evaluated at a specific point in time.
SOC 2 Type 2: This is the report that we obtained after working with Dash. This second type of report focuses on an organization’s system and the design of its security controls related to the Trust Services Criteria (TSC) and operational effectiveness of controls.
The security evaluation and auditing standards for Type 2 are more rigorous compared to Type 1 — hence our decision to work with Dash. During our SOC 2 audit, not only did an auditor assess the description and controls of our organization, but the operational effectiveness of our security controls were also assessed. For this, over a 7-month period, we had to demonstrate that our security controls were in place and working as they should. As it is much more intensive, this type of audit usually takes place over a 3 to 12-month period.
In short, while a Type 1 report provides a certain level of validation for an organization’s internal security controls, its value quickly diminishes over time as it is a point-in-time assessment. A Type 2 report evaluates the same internal controls but is a more comprehensive report as it is evaluated over an extended period of time.
Note: Having a current report shows that your company has all necessary controls to secure confidential data and personally identifiable information (PII). In turn, such commitment allowed our company to stand out from the competition and build early trust in the marketplace.
The Benefits of SOC 2
Obtaining a SOC 2 report is an effective way to demonstrate the security posture of your startup company to impress potential clients. SOC 2 reports are considered to be the gold standard when it comes to measuring an organization’s security profile. As such, SOC 2 certification can benefit your company in a variety of ways, including:
Establishing Credibility with Clients and Investors
Vendor security is a serious concern for established companies and large enterprises. With growing security concerns, organizations are now more carefully vetting new software solutions and software vendors.
Successfully completing a SOC 2 audit is a fantastic way to prove the effectiveness of your security controls and ease security concerns to Fortune 500s, regulated industries such as financial services and healthcare, and potential investors. After completing a SOC 2 audit, you’ll be fully prepared to handle any security and compliance-related questions from clients and security risk assessments (SRAs).
Provides a Competitive Advantage
As security breaches are a very real concern, the willingness to undergo a SOC 2 audit demonstrates your company’s dedication to a strong security posture. An up-to-date report proves that your company has all the necessary controls in place to secure confidential data and personally identifiable information (PII). In turn, such commitment will allow your company to stand out from the competition and build early trust in the marketplace.
Assists in the Development of Strong Policies and Procedures
Thanks to the rigorous testing and standards involved in the SOC 2 auditing process, upon completion, your business will emerge equipped with formally defined policies and procedures. These policies define key processes and controls throughout your organization and business operations. Aside from mitigating potential security risks, formally defined policies and procedures provide a foundation for your company’s security program. Your team can build on this security program in the future.
SOC 2 Lowers Your Risk Profile
Large enterprises must ensure that any potential new vendors and/or software solutions have up-to-date security measures in place that will not jeopardize their organization. If your organization doesn’t have a SOC 2 report, then believe me, they’ll find another vendor that does. Having a current SOC 2 report helps alleviate client security concerns and lowers your company’s overall risk profile.
Becoming SOC 2 compliant with Dash
Achieving SOC 2 compliance requires tons of hard work, expertise, patience, and organization. Although we’re proud to have finally obtained the coveted SOC 2 Type 2 report, we couldn’t have done it alone.
Dash ComplyOps was designed to help teams prepare for, and achieve SOC 2 compliance. Dash worked closely with our team, assisting us with custom administrative policies, establishing cloud security controls, and enforcing SOC 2 internal controls through continuous compliance monitoring.
But don’t take my word for it, check out their website to learn more about how they can help you streamline the SOC 2 auditing process to achieve SOC 2 certification quickly and painlessly.