What is SOC 2 and Why Does it Matter?

At gofor, our customers’ trust is a top priority, and we’re continuously working to ensure that their confidential data remains secure. We demonstrate this in part through our pursuit of relevant certifications and accreditations. That’s why we were so pleased recently to announce that GoFor achieved a SOC 2 Type 1 attestation.  You can read all about it in our press release.

In this blog post, we elaborate on what SOC 2 compliance is and why gofor believes it’s important to have gone through this audit process. We also share our ideas about why it’s important to at least consider SOC as one of the criteria you use when choosing a technology driven partner to work with.

what is soc 2

SOC 2, which stands for Systems and Organizations Controls 2, is a set of criteria and a certification process developed by the American Institute of CPAs (AICPA) and intended for technology companies that store their customers’ data in the cloud. It requires companies to follow stringent security procedures and policies to ensure that their customers’ data is always protected.

SOC 2 is part of a larger framework that also includes SOC 1 and SOC 3. SOC 1 is focused on the handling of financial data and predates SOC 2. The mandate of SOC 2 is an organization’s non-financial reporting controls for cloud and data center security. A SOC 3 report is a less technical version of a SOC 2 report intended for public consumption, so it contains less sensitive information.

There are two types of SOC 2 audits. A Type 1 audit focuses on the infrastructure, software, people, processes, data, and controls that an organization has put in place to meet security and compliance commitments. A Type 2 audit, on the other hand, evaluates and validates the application of controls over time and measures organizational effectiveness. Achieving a favorable Type 1 report is sort of like reaching the base camp for your big climb. It’s a critical step in the process, and it confirms that your implemented security and compliance program is on track. Achieving a favorable Type 2 report is like attaining the summit itself.

soc 2 framework

SOC 2 is based on five “trust service principles”:

  • security – protecting your system resources against unauthorized disclosure, access, abuse, theft, and misuse
  • availability – ensuring your systems, services and products are accessible as required by your service level agreements (SLAs)
  • processing integrity – ensuring the timely, complete, valid, accurate, and authorized processing and delivery of data
  • confidentiality —restricting access to sensitive, confidential data to specified parties
  • privacy – ensuring the collection, use, retention, disclosure, and disposal of personally identifiable information (PII) conforms to privacy policies by using encryption and other practices

soc 2 audit process

To be SOC 2 compliant, it isn’t necessary to be audited for all five of the above trust principles. Rather, your organization can choose the most applicable of them and develop policies and procedures accordingly.

Once your policies and procedures are in place, you will be audited by a certified third party auditor at a CPA firm to ensure your policies and controls meet SOC 2 requirements for trust criteria. An auditor will look for best practices you’ve implemented such as monitoring systems that continually look for suspicious activities, alerts that automatically notify of any unauthorized access to customer data, audit trails that allow you to conduct thorough investigations when responding to incidents, and protections in place for confidential data.

Once you’ve completed your SOC 2 audit, you will receive a report containing an opinion on the effectiveness of your controls and processes. This opinion, if favorable, is a clear indication that your implemented controls are up to standards. Continued yearly audits are suggested to keep your compliance program on track and your third party opinion up to date.

why does soc 2 matter?

In general, SOC 2 is important for technology companies and service providers because it demonstrates they can be trusted with handling their customers’ data. If you’re evaluating potential suppliers that use cloud based systems, here are some benefits of choosing a SOC 2 compliant partner:

  • peace of mind – rest easy knowing the policies, procedures, and practices are in place to protect your sensitive data
  • risk management – choosing a SOC 2 compliant partner is a form of due diligence that helps ensure you’re derisking your business decision
  • minimized downtime – a breach of your or your customers’ data can bring your operations to a halt. Ensure your business stays up and running without issues with  SOC 2 compliance

the bottom line

With gofor’s SOC 2 Type 1 attestation, you can have confidence in the quality of all the controls that keep our customers’ information protected. We’re also looking forward to the completion of the Type 2 audit that evaluates the effectiveness of our controls over a defined time period. Our customers’ trust means everything to all of us at gofor, and our SOC 2 compliance program is just one more way we go about building it.