Today we’re adding another medal to the wall: our shiny new SOC 2 Type 2 certification. Ta-dah! SOC 2 reports are how service providers demonstrate that they securely store customer data, and the Type 2 assessment is one of the most stringent audits out there. Compliance isn’t the most exciting topic on the planet—we know. Still, completing this milestone definitely calls for recognition.
For cloud-based SaaS providers like Ushur, a bulletproof security policy is no longer a nice-to-have. It’s absolutely essential, especially for service providers handling sensitive customer data.
Insurance companies, for example, host millions of data points of sensitive customer personal information. This makes them an easy target for hackers. Let’s say a large insurance company grants a third party vendor access to their customer data. But, the vendor’s systems are not set up securely, leaving customer data unprotected. That insurance company just exposed millions of records to a potential data breach.
So if you’re an enterprise that outsources any part of your business, get in the habit of asking service providers if they have SOC 2 compliance. It could save you from a very costly breach—not to mention the blow to your brand reputation.
SOC 2 is a security standard written by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report reviews the security procedures of products or services based in the cloud.
Earning SOC 2 Type 2 compliance takes months of preparation, technical development and evidence collection as well as the actual audit of internal systems and policies.
To complete our SOC 2 Type 2 audit report, we were evaluated on how effectively our policies, procedures and controls* meet security requirements and Ushur’s service commitments.
What our customers really need to know is this: SOC 2 Compliance guarantees that the confidentiality, availability and security of your customer data is protected from unauthorized access.
Think of a SOC 2 Type 2 certification as a stamp of approval from a third-party compliance expert that says, “this company really prioritizes data protection.”
During a SOC 2 Type 2 assessment, you’re continuously being audited against five security performance criteria called “Trust Service Principles.” Companies that participate in SOC 2 compliance must select a focus for the audit per the AICPA.
For us, the “Availability” principle—ensuring that services and products are accessible as expected—resonated clearly with our mission. We take pride in offering a frictionless interface for our end customers.
Availability has been top of mind lately as offices around the world have gone remote. Being SOC 2 compliant enabled the entire Ushur team to seamlessly transition to remote work nearly two months ago. Maintaining business continuity empowers our customers to do the same—a critical ability in a time when end users rely on you now more than ever.
You might be wondering why we’re writing about SOC 2 reports again when we announced our compliance last year. So what is a SOC 2 Type 2 certification, and how is it different from what we already had?
There are two kinds of a SOC 2 report: SOC 2 Type 1 and SOC 2 Type 2.
What we earned previously was a SOC 2 Type 1 certification. A Type 1 report is a “point in time” audit that presents a snapshot of an organization’s security procedures at the time of the audit. To complete a SOC 2 Type 1, a company collects evidence that shows its security controls meet the minimum security requirements, internal requirements and service commitments (like privacy policies).
A SOC 2 Type 2 audit does all that too—but with a more in depth look at how internal controls perform over a longer series of time. The organization tests its policies and procedures during a six or twelve month period, all while collecting evidence that prove its security controls are operating as described. That six to twelve month time frame is why passing a SOC 2 Type 2 report is much more difficult.
We began our nine month SOC 2 Type 2 audit after earning SOC 2 Type 1 in July 2019. In total, it was an arduous 18 month journey of building compliance, and we don’t regret a single second. We’ll be completing the Type 2 certification on an annual basis. The bottom line is, our customers are worth it.
*If you really want to know: policies are high level security statements like firewalls or network configurations. Procedures are how we maintain and implement our policies. Controls are the actual mechanisms that prevent and minimize security risks.