Triple Whale is SOC 2 Compliant: Why it Matters for SaaS Companies and their Clients

Hey, take a look at this shiny new certificate - Triple Whale is now SOC 2 Compliant! If you’re wondering what that means or why it’s necessary, that’s precisely what this article is about. Information security is very important, to us and to you. As a software-as-a-service (SaaS) company, we are very aware of our responsibility to keep our customers’ data safe. By participating in the SOC 2 auditing process, we have completed the rigorous process necessary to earn a certificate based on how we handle security, availability, processing integrity, confidentiality, and privacy. While it’s not a requirement for SaaS vendors to be SOC 2 compliant, it certainly can put a client at ease to know that security is a priority. In this article, we’ll discuss what SOC 2 compliance is, what it takes to get certified, and how to tell if your tools are SOC 2 compliant so you keep your data (and your clients’ data) safe. 

What is SOC 2 Compliance?

The American Institute of CPAs (AICPA) developed the System & Organization Controls 2 (SOC 2) Reporting criteria in 2010, and it was designed to give auditors some guidance for evaluating the effectiveness of an organization’s security protocols. The framework covers how companies should handle the customer data stored in the cloud. 

The requirements to manage and store customer data is based on five Trust Services Criteria (TSC): 

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Therefore, a business must meet requirements in these five areas in order to be SOC 2 compliant/certified. These requirements are unique to each organization, however, and each business will design their own controls to ensure they’re in line with the trust principles outlined above. Once the requirements are met, a report is generated that outlines how that service provider manages data. There are two types of SOC reports: Type I describes the vendor’s system and whether their design is suitable to meet those trust principles, and Type II outlines the operational effectiveness of those systems. 

The Five Trust Principles of SOC 2 Compliance

To obtain SOC 2 certification, an outside auditor evaluates how a vendor complies with the trust principles below, based on the systems and processes in place. 

1. Security: Defined by how well system resources are protected against unauthorized access, system abuse, theft, unauthorized removal of data, software misuse, and improper disclosure of information.
2. Availability: Based on a service level agreement (SLA), availability is how accessible a system’s products or services are. The minimum acceptable performance level availability is set as an expectation.
3. Processing integrity: This means whether a system achieves its purpose, for example, delivering the right data at the right place and time. The data processing is also expected to be valid, complete, accurate, timely, and properly authorized.
4. Confidentiality: If data is only accessed and disclosed to a specified set of persons or organizations, then it’s considered confidential. Firewalls and access controls can help safeguard information processed/stored on computer systems.
5. Privacy: The system’s collection, retention, disclosure, and disposal of personal information must conform with an organization’s privacy notice, and in accordance with criteria set forth by the AICPA’s generally accepted privacy principles (GAPP). 

How to Get SOC 2 Certification

The first step to getting SOC 2 certified is to choose your audit provider, which can be any licenced CPA firm accredited by the American Institute of Certified Public Accountants (AICPA). It’s also important that the firm has no relationship with the service organization they’re auditing. Additionally, since SaaS organizations often store or transmit data through the cloud, it’s important to have an accountant that is familiar with cloud technology environments.  

These days, there are many service providers available that set you up with collecting the necessary information and starting the audit process. Previously, companies looking to get certified would have manually collected information and then presented it to the auditor to review. The audit process is much simpler having the in-house experts and automated technology set up to manage the process right from the beginning. We used Thoropass as our SOC 2 audit provider, and they helped us produce a SOC 2 compliance report! 

Based on a detailed outline from Thoropass, here are the general steps for a SOC 2 audit:

1. Select an auditor: The auditor must be accredited by the AICPA, but there are plenty of great options!
2. Engagement letter: An agreement is made between the organization and auditor that outlines the timeframe and scope of the audit.
3. Audit Kickoff: A meeting is scheduled to introduce the whole audit process and discuss the timeline more in-depth, including discussion of vendors and policies.
4. Evidence of control implementation: The company will keep track of any new processes and policies related to required controls, and report all evidence to the auditors. This process can take anywhere from 4-8 weeks.
5. Questions and requests: Auditors receive and review all of your evidence, policies, and records of implementing the best practices for review. They may then send a questionnaire about security to send back and forth between your team and theirs. 
6. Auditor presents opinion: If the auditor finds any exceptions while creating the report, they provide an opportunity for the organization to explain why any exceptions were identified.
7. Receive a final report: After completing a thorough quality assurance, the audit firm presents a final report on the company’s SOC 2 compliance.

How Long Does it Take to Get a SOC 2 Audit? 

The length of time to complete a full audit will depend on a variety of factors, including how you’ve designed and implemented the controls your company uses, how security information is organized and maintained, and the auditor themselves. As a result, SOC 2 audits can take anywhere from 6-12 weeks. 

Once the audit is complete, you’re not actually done! There are annual tasks that need to be completed to maintain compliance as your company matures and scales. 

SOC 2 Type I vs. SOC 2 Type 2

A SOC 2 Type I report evaluates a company’s controls at a single point in time, and generally reporting if a company’s security controls are designed properly. By contrast, a SOC 2 Type II report assesses how those controls function over a period of time, which is typically a period of about 3 to 12 months. In this report, it becomes more clear if those security controls that were designed properly at a period of time as reported in Type I remain secure over the designated duration to achieve a Type II designation. SOC 2 Type II is often a greater assurance to your customers. 

How to Tell if the Tools You Use are SOC 2 Compliant

Familiarize yourself with the Trust Centers available on the websites of tools you use (ours is here). On the Trust Center, you can see answers to commonly asked questions about how personal data is stored and used. If necessary, a more detailed description of a company’s security policy should always be available upon request from said company. Most (if not all) websites that collect any sort of personal data will have a privacy notice available on the website, and it typically lives in the footer section.  

So… is Triple Whale SOC 2 Compliant?

You’re damn right we are. We received our SOC 2 Type I certification in August of 2023, and are currently working towards the SOC 2 Type II certification once the audit timeline has passed, hopefully in early 2024. 

Conclusion

While obtaining SOC 2 certification isn’t mandatory for a SaaS company to operate, we’re committed to upholding the rigorous standards in information security and data management. We hope it offers reassurance to our clients about our dedication to data safety and protection, which will also benefit your clients. Want to see why we’re the best AI Data company while also being SOC 2 compliant? Book a demo to learn more about how you can trust us with helping your company scale to the moon.  

‍