Since the beginning of our business, we have been focused on the security and privacy of our business community. We are thrilled to announce today that the pending SOC 2 certification we announced is now LIVE for all Enterprise accounts.
This certification demonstrates the trustworthiness of our software in keeping your data safe and secure. We value our users’ privacy and this certification given by outside auditors provides peace-of-mind. We also put extra diligence and effort to go straight for a Type 2 certification.
Many companies out there will toute SOC 2 , but will only go for the very basic Type 1 certification that doesn’t have nearly enough rigor. Our dedicated Enterprise team went above and beyond straight into Type 2 for our community.
Why does it matter? SOC 2 shows the commitment we have to our business community in keeping their team and companies data private and secure.
How do I get it? Available immediately to Enterprise customers. If you aren’t an Enterprise customer you can connect with our sales team to get started here
What was the process? As a remote company, we brought on a remote service that would help meet our SOC 2 Type 2 Certification. We automated many aspects of SOC 2 that used to be manual. With continuous monitoring of our system, we were able to focus our attention on our process and controls.
What is SOC 2 Compliance?
Service Organization Control 2 (SOC2) is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. SOC 2 is a technical auditing process and certification that measures security and availability and serves as an assurance to customers that their data is being managed in a controlled and audited environment.
When a business is SOC 2 compliant, it signifies they implement proper security systems to ensure security, availability, processing integrity, confidentiality, and privacy of customer data.
SOC 2 compliance is essential for technology-based service organizations that store customer data in the cloud. This makes it applicable to most SaaS businesses, and any business that relies on the cloud to store its customers’ information.
There are two types of SOC 2 audits:
- Type I: The report describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
- Type II: The report details the operational effectiveness of those systems and includes a historical element that shows how controls were managed by a business over a minimum period of six months.
Zight (formerly CloudApp) decided to go straight to Type II compliance
What does SOC 2 certification entail?
The SOC 2 certification is awarded to businesses by outside auditors upon assessing the extent to which they comply with one or more of these five trust principles:
Security
The security principle refers to the protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of the software, and improper alteration or disclosure of information.
Availability
The principle checks the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). It involves security-related criteria that may affect availability. Monitoring network performance and availability, site failover, and security incident handling are critical in this context.
Processing integrity
This principle addresses if a system achieves its purpose, i.e., delivers the right data at the right price at the right time. The data processing must be complete, valid, accurate, timely, and authorized.
However, processing integrity doesn’t only imply data integrity; it also includes the monitoring of data processing, along with quality assurance procedures.
Confidentiality
Information that is designated as confidential should be protected according to the User Entity’s needs. Data is considered confidential if its access and disclosure are restricted to a specified set of persons or organizations.
The principle includes encryption, which is an important control for protecting confidentiality during transmission. Network and application firewalls, along with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
Privacy
The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria determined by the AICPA’s Generally Accepted Privacy Principles (GAPP).
It includes protecting the unauthorized access of personally identifiable information (PII) – personal data related to health, race, sexuality, and religion is also considered sensitive and generally requires an extra level of protection.
Why is SOC 2 Compliance Important?
Meeting SOC 2 compliance means establishing processes and practices that guarantee oversight across a company, guaranteeing customers that their data is protected from any unusual, unauthorized, or suspicious activity.
To ensure businesses meet SOC 2 requirements, you need to receive alerts whenever unauthorized access to customer data occurs. SOC 2 compliant companies are required to set up alerts for:
– Exposure or modification of data, controls, configurations
– File transfer activities
– Privileged filesystem, account, or login access
Having a SOC 2 badge on the Zight (formerly CloudApp) website represents the dedication to keeping customer information private and secure. Zight (formerly CloudApp) understands the need for customers to feel safe about their data, and it’s the reason why we are excited to bring this to our community.