We’ve got quite the exciting announcement for you: we’re SOC 2 Type 2 certified! Which sounds great and all, but what does that really mean? Let’s go over what SOC 2 certification entails and what that means when it comes to us protecting your data.
The Security and Organization Controls (SOC) 2 security certification was developed by the American Institute of CPAs (AICPA) so software users know that what they’ve chosen can be trusted to protect their information. The SOC 2 is built on five pillars called “trust service principles”: privacy, security, availability, processing integrity, and confidentiality.
Privacy ensures that the way the software collects, stores, and uses personal data is safe and secure, and SOC 2 verifies that these measures meet the AICPA's standards. Security is what protects the software from unauthorized access so no one can steal data or mess with the software itself. Availability is the accessibility of the software as outlined by an SLA. Processing integrity checks whether or not the software does its job accurately, and the data it processes has to be whole and correct, but this pillar does not speak to the integrity of that data. Finally, confidentiality means that sensitive information that should only be viewed by a select group stays within that group whether by firewalls, encryption, and/or access controls.
If an organization meets all the requirements for these five principles, then they can proudly receive a SOC 2 certification! But we’re SOC 2 Type 1 and Type 2 certified, so what’s the difference?
The Type 1 report evaluates the software at a single point in time. It’s a less-rigorous certification and only takes a couple of weeks to complete. The Type 1 certification also only gives an overview of the software, whether or not they meet the standards of the pillars above, and if the software is properly designed.
The Type 2 certification is much more vigorous; as it is an evaluation of the process as a whole, it can take anywhere from three to twelve months and checks if everything works as effectively as intended. It’s definitely more of an investment, but it carries significantly more weight to interested clients.
Now when we say that we’re SOC 2 Type 2 certified, hopefully, it carries a little more meaning! We’re committed to protecting your data to the best of our abilities, and we do this through several specific processes. When your data is at rest, it’s always safely encrypted, and Virtuoso is constantly monitored to detect any vulnerabilities. We also use intrusion detection systems to nip potential security breaches in the bud before they even happen. There are more measures, of course, but we’ve got to keep some things under wraps to protect your data! If you have any questions about our security, feel free to get in touch via our Security and Trust page. Now, go forth and test knowing that your data is well looked after!