Why SOC 2 Compliance Matters
SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.
There are two types of SOC 2 audits:
- Type I: The report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II: The report details the operational effectiveness of those systems and includes a historical element that shows how controls were managed by a business over a minimum period of six months.
Once Plutoshift is SOC 2 Type I compliant, we will be on our way to becoming Type II compliant in late 2020 after the required six months have passed.
What does SOC 2 certification entail?
The SOC 2 certification to Plutoshift will be awarded by outside auditors upon assessing the extent to which Plutoshift will comply with one or more of these five trust principles of SOC2:
The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of the software, and improper alteration or disclosure of information.
The principle checks the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). It involves security-related criteria that may affect availability. Monitoring network performance and availability, site failover, and security incident handling are critical in this context.
This principle addresses if a system achieves its purpose, i.e., delivers the right data at the right price at the right time. The data processing must be complete, valid, accurate, timely, and authorized. However, processing integrity doesn’t only imply data integrity; it also includes the monitoring of data processing, along with quality assurance procedures.
Information that is designated as confidential should be protected according to the User Entity’s needs. Data is considered confidential if its access and disclosure are restricted to a specified set of persons or organizations. The principle includes encryption, which is an important control for protecting confidentiality during transmission. Network and application firewalls, along with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria determined by the AICPA’s Generally Accepted Privacy Principles (GAPP). It includes protecting the unauthorized access of personally identifiable information (PII) – personal data related to health, race, sexuality, and religion is also considered sensitive and generally requires an extra level of protection.