Big news: We’re the proud owners of a shiny new SOC 2 Type I Report!
Completing a SOC audit is a huge deal for Saas start-ups like us. The output of a SOC audit – a SOC report – verifies the strength of our business and data security protocols and offers a competitive advantage by establishing credibility and trustworthiness as a service provider. Even though we already knew we were great, our SOC report now evidences that we have our data – and our customer’s data – on lock.
What’s a SOC?
System and Organization Controls (SOC) are internal control reports on the security of the services and protocols of a service organization. They provide valuable information that prospective and current users need to assess and address the risks associated with an outsourced service.
Think of it like this: Any time a client decides whether to work with AgentSync, they also need to confirm that in doing so, we won’t pose any unnecessary risk to their own business.
Without the SOC audit, clients might ask to review sensitive information, such as our policies, processes, and procedures related to anything from business continuity or disaster recovery to our information security policies, password policies, infrastructure diagrams, and the list goes on. It isn’t in our best interest to share this information with every prospect, however, because it opens us up to risk by showing others how we keep AgentSync secure and how we protect ourselves. We don’t want anyone using that information to undermine the effectiveness of our security services!
The answer to this dilemma: SOC reports.
SOC reports enable a third-party auditor to assess our controls and determine whether they encountered any failures, without us advertising the details of those controls to every single prospective client. This allows companies to feel confident that service providers operate in an ethical and compliant manner while simultaneously protecting the effectiveness of those controls.
SOC 1 vs. SOC 2, Why we chose to forgo a SOC 1, and Type I vs. Type II
Fortunately for us audit nerds, there’s a whole suite of SOC for service organizations: SOC 1, SOC 2, SOC 3, and more recently, SOC for Cybersecurity. Let’s look specifically at SOC 1 and SOC 2.
- A SOC 1 report is for service organizations that impact or may impact their clients’ financial reporting.
- A SOC 2 report is for service organizations that hold, store, or process information of their clients, but isn’t significant to financial reporting (e.g., would not affect their income statement or balance sheet).
The SOC 1 report does not apply to AgentSync, as our clients do not rely on us as the basis of their financial reporting. So, we have our SOC 2 (which reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy).
Additionally, many of these reports have a Type I, which is a point in time report on the fairness of the presentation of the service organization’s system and the suitability of the controls to achieve the related control objectives included in the description as of a specified date.
Type I reports are usually followed by a Type II, which reports on the fairness of the description of the service organization’s system and the suitability of the controls to achieve the related objectives included in the description throughout a specified period.
So, a Type I stands up the procedures and controls we have put in place at a given time, while a Type II is through an audit period and provides evidence of how an organization operated its controls over a period of time (typically not less than 6 months). Our current report is a SOC 2 Type I report, which means that we can look forward to a Type II report shortly.
Who can see our SOC?
These reports are intended to meet the needs of a broad range of users who need information and assurance about the controls at a service organization. They detail security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems and can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
You can read more about SOC certification from the American Institute of CPAs for additional context: https://www.aicpa.org/SOC
While we’re very excited about our SOC report, we have a couple of requirements for how and when it can be shared. If you’re unsure as to whether you meet the qualifications to view our SOC report, reach out to your sales representative or customer success manager.