Hey, take a look at this shiny new certificate - Triple Whale is now SOC 2 Compliant! If you’re wondering what that means or why it’s necessary, that’s precisely what this article is about. Information security is very important, to us and to you. As a software-as-a-service (SaaS) company, we are very aware of our responsibility to keep our customers’ data safe. By participating in the SOC 2 auditing process, we have completed the rigorous process necessary to earn a certificate based on how we handle security, availability, processing integrity, confidentiality, and privacy. While it’s not a requirement for SaaS vendors to be SOC 2 compliant, it certainly can put a client at ease to know that security is a priority. In this article, we’ll discuss what SOC 2 compliance is, what it takes to get certified, and how to tell if your tools are SOC 2 compliant so you keep your data (and your clients’ data) safe.
The American Institute of CPAs (AICPA) developed the System & Organization Controls 2 (SOC 2) Reporting criteria in 2010, and it was designed to give auditors some guidance for evaluating the effectiveness of an organization’s security protocols. The framework covers how companies should handle the customer data stored in the cloud.
The requirements to manage and store customer data is based on five Trust Services Criteria (TSC):
Therefore, a business must meet requirements in these five areas in order to be SOC 2 compliant/certified. These requirements are unique to each organization, however, and each business will design their own controls to ensure they’re in line with the trust principles outlined above. Once the requirements are met, a report is generated that outlines how that service provider manages data. There are two types of SOC reports: Type I describes the vendor’s system and whether their design is suitable to meet those trust principles, and Type II outlines the operational effectiveness of those systems.
To obtain SOC 2 certification, an outside auditor evaluates how a vendor complies with the trust principles below, based on the systems and processes in place.
The first step to getting SOC 2 certified is to choose your audit provider, which can be any licenced CPA firm accredited by the American Institute of Certified Public Accountants (AICPA). It’s also important that the firm has no relationship with the service organization they’re auditing. Additionally, since SaaS organizations often store or transmit data through the cloud, it’s important to have an accountant that is familiar with cloud technology environments.
These days, there are many service providers available that set you up with collecting the necessary information and starting the audit process. Previously, companies looking to get certified would have manually collected information and then presented it to the auditor to review. The audit process is much simpler having the in-house experts and automated technology set up to manage the process right from the beginning. We used Thoropass as our SOC 2 audit provider, and they helped us produce a SOC 2 compliance report!
Based on a detailed outline from Thoropass, here are the general steps for a SOC 2 audit:
The length of time to complete a full audit will depend on a variety of factors, including how you’ve designed and implemented the controls your company uses, how security information is organized and maintained, and the auditor themselves. As a result, SOC 2 audits can take anywhere from 6-12 weeks.
Once the audit is complete, you’re not actually done! There are annual tasks that need to be completed to maintain compliance as your company matures and scales.
A SOC 2 Type I report evaluates a company’s controls at a single point in time, and generally reporting if a company’s security controls are designed properly. By contrast, a SOC 2 Type II report assesses how those controls function over a period of time, which is typically a period of about 3 to 12 months. In this report, it becomes more clear if those security controls that were designed properly at a period of time as reported in Type I remain secure over the designated duration to achieve a Type II designation. SOC 2 Type II is often a greater assurance to your customers.
Familiarize yourself with the Trust Centers available on the websites of tools you use (ours is here). On the Trust Center, you can see answers to commonly asked questions about how personal data is stored and used. If necessary, a more detailed description of a company’s security policy should always be available upon request from said company. Most (if not all) websites that collect any sort of personal data will have a privacy notice available on the website, and it typically lives in the footer section.
You’re damn right we are. We received our SOC 2 Type I certification in August of 2023, and are currently working towards the SOC 2 Type II certification once the audit timeline has passed, hopefully in early 2024.
While obtaining SOC 2 certification isn’t mandatory for a SaaS company to operate, we’re committed to upholding the rigorous standards in information security and data management. We hope it offers reassurance to our clients about our dedication to data safety and protection, which will also benefit your clients. Want to see why we’re the best AI Data company while also being SOC 2 compliant? Book a demo to learn more about how you can trust us with helping your company scale to the moon.