What is SOC 2? (and why you should do it)
The ins and outs of our SOC 2 Type 2 report: what it is, why we did it, and our top takeaways for other SaaS companies looking to start
We're excited to announce that we’re pleased to announce that Violet has just received our Type II SOC 2 Compliance Certification for Security and Availability.
We had a few takeaways from the process, and wanted to share what we learned.
What is SOC2
First: what is SOC 2? While it's a critical compliance certification, we were surprised to find how little people understood it, even on parts of our own engineering team.
SOC 2 compliance is one of the most important certifications for tech companies in North America, especially for information security. It’s given through an independent auditing process that evaluates a company across a number of SOC 2 requirements. SOC 2 groups those requirements into five main focus areas: security, availability, processing integrity, privacy, and confidentiality.
- Security: Can your company ensure personal data is protected? Can you effectively prevent unauthorized access? How do you handle security incidents?
- Availability: Is your company’s product consistently available? Are you able to reliably prevent outages and avoid latency?
- Processing Integrity (or processing integrity confidentiality): How does your company balance maintaining the integrity of customer information with efficient, convenient processes?
- Privacy: How does your company maintain, dispose, and store customer data?
- Confidentiality: What processes does your company have for protecting confidential information
Companies that pursue SOC 2 Compliance usually begin by targeting compliance requirements in the one or two areas that are most crucial to their business. They get proof of this audit and compliance in the form of a SOC 2 report.
In addition to focus area, SOC 2 certification is also broken into two types:
- Type One is the initial audit report that shows a company is in the process of obtaining compliance, which only proves that a company has the correct policies and procedures in place.
- Type Two confirms that a company has gone through the required process, passed their SOC 2 audit, and are in fact effective at preventing security and compliance breaches.
During our SOC 2 certification process we were frequently asked, “Why is an early stage SaaS company like Violet investing in SOC 2?” Most start-ups don’t bother with the process until much later in their growth. SOC 2 certification can be expensive and time-consuming, and typically only worthwhile for mature enterprises.
But at Violet, we’re already working with multiple large, enterprise customers for whom SOC 2 is critical. For us and for our customers, top-notch security isn’t just a nice to have: it’s non-negotiable.
What we did
When we kicked off the process last year, we decided specifically to prioritize the two types of SOC2 certification that would have the most impact for our customers (and for their customers): security and availability.
Partnering with Vanta proved to be advantageous. They helped us streamline the process by automating the collection of most of the evidence we needed to prove our compliance, and provided clear guidance for and one place to upload the rest.
Over the course of a few months, we worked diligently with Vanta to walk through the checklist of documentation, and data necessary for the audit, pausing when an item required us to update or advance our current systems, processes, or documentation.
We also conducted a penetration test through HackerOne, one of the most trusted names in pen tests today. While we could have opted for a less rigorous test, we knew Hacker One’s reputation and wanted to hold ourselves to the highest possible standard with our customer data.
On March 22, 2022, after many months of gathering, evaluating, troubleshooting, and improving our systems, and great indebtedness to Vanta, AWS, and HackerOne, we received our SOC 2 Type II Compliance report that declared us SOC 2 Type II certified.
What we learned
While SOC2 compliance may not be a top priority for many early stage start-ups, it’s never too early to start preparing for it. Getting SOC2 compliance as early as possible has helped position Violet as a viable partner for enterprise scale clients, and proves to potential customers that we value and invest in the security and quality of our product.
For other start-ups considering this process or about to embark on it, here are our top three takeaways that we hope will help others do their part to protect security online:
Do your research / know your customers
One of the benefits of SOC2 compliance is that it allows companies to focus on the areas that matter most to their customers and make the most sense with their business model. Having conversations with current or potential customers about what they require will help target your efforts towards the compliance measures that matter most to your business.
Find the right partners
One of the reasons we were able to pursue SOC2 compliance soon after sealing our Series A funding was because we partnered with Vanta. Between their ability to automate the collection of certain data and documentation, their ability to integrate with our cloud service provider AWS, and their unwavering guidance for all pieces of the process they couldn’t automate, a mountain of work became a much more manageable climb for our engineers.
It’s never too early to start
Everyone can begin to prepare for SOC2 compliance, whether or not they’re ready to begin in twelve days or twelve months. A few of the things we quickly realized could be taken care of early include:
- Google Workspace: Whatever single sign-on (SSO) or identity & access management (IAM) provider you use, make sure you’re set up not only to create accounts but also delete them, and link those procedures to the requisite onboarding and off-boarding alerts.
- AWS: Utilizing cloud providers like AWS/GCP/Azure will streamline the SOC2 process, so partners like Vanta will be enabled to connect directly to your systems and analyze your configuration. Using less-known cloud providers or on-premise solutions will likely lead to a more complex SOC2 process.
- MFA: Multi-factor authentication (MFA) should be enabled and enforced anywhere it’s available. This provides an immediate layer of additional security to critical applications and will become a requirement when the SOC2 process is started.
- Endpoints: Ensure that all desktops, laptops, and mobile devices for your staff are secured with anti-viral/malware tools. Additionally, these devices should be secured behind a private virtual network.
With our SOC2 Type II report in hand (eerrr...in the cloud behind encryption and MFA) we’re now very excited to grow with some very large customers and to engage in deeper conversations with potential partners, knowing that we can offer scalable, certified assurance for our partners.