At CaptivateIQ, we handle sensitive personal and financial data for small teams that are just getting started, to global teams that have sales divisions across multiple continents. Thus, it goes without saying that data security is something that we take very seriously. As part of our commitment to security, we are proud to announce that we have received our SOC 2 Type II attestation report.
What is an SOC 2 Report?
SOC stands for "System and Organization Controls", and it is an auditing procedure governed by the American Institute of Certified Public Accountants (AICPA). The procedure ensures that your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. When considering a SaaS provider, it is common for companies to make SOC 2 compliance a minimum requirement.
SOC 2 evaluates businesses based on five trust service principles that include:
1. Security - refers to the protection of system resources against unauthorized access
- Network/application firewalls
- Multi-Factor authentication
- Intrusion detection
2. Availability - refers to the prevention of outages and the accessibility of services
- Performance monitoring
- Disaster recovery
- Security incident handling
3. Processing Integrity - refers to whether data being processed in a complete, valid, accurate, timely and authorized manner
- Quality assurance
- Processing monitoring
4. Confidentiality - refers to data being restricted to specific persons or organizations in order to protect sensitive data
- Access controls
- Network/application firewalls
5. Privacy - refers to appropriate disposal of data and additional protections for personal identifiable information such as addresses, social security numbers, etc.
- Access control
- Multi-Factor Authentication
Service Organization Control Audit Types
There are 2 types of SOC 2 audits which a company may undergo. SOC 2 Type I, is an audit of a company’s systems, processes and procedures as a snapshot in time. Type I evaluates whether a company’s security processes are designed to address the AICPA’s trust principles.SOC 2 Type II, determines whether a company’s systems are effective over time. This is the report that a company gets after months or years of being operational, proving that its systems effectively protected against material breaches over the months or years it has been in existence.At CaptivateIQ, we wanted to show that we put serious thought into our security systems and that they actually work. This is why we pursued an SOC 2 Type II audit. We wanted to demonstrate to our clients and partners that our security systems have passed the test of time.
Depending on how robust your existing security systems and processes are, preparation for the audit can take a few weeks or a few months. In contrast to a Type I audit, which as we mentioned is a snapshot in time, a Type II audit may require monitoring of your systems for 3-12 months in order to ensure that your processes are effective over a longer period of time.
Some third party consultants will simply assess your business and draft all of your policies for you, while others will provide templates that you can fill out yourself. With Vanta or Secureframe, you can easily connect your tech stack to their system after which they will highlight weaknesses and provide recommendations on how to improve your security infrastructure. Because of the tech stack integration, these partners are able to provide feedback on whether the changes that you implement have made a positive impact and are moving you towards compliance.
The actual audit can be quite simple, especially if you’re using a third party partner such as Vanta. The auditor can easily download your profile and data from Vanta. Additionally, the auditor may also ask for certain files, internal tools or processes to be shared as further evidence. If you’re aiming for Type I attestation, the entire process may only take a week.
The real challenge for most organizations is the time leading up to the audit. Preparing for an audit is akin to preparing for a school exam. You need to set aside time to study and prepare robust notes in order to get that A+.
CaptivateIQ’s Philosophy on Security
There are some organizations that conduct a compliance audit each year to ensure that they are checking all of the right boxes. However, at CaptivateIQ, we have been proactive about creating systems and policies that put security first. As a result, we found that compliance followed naturally and required little additional effort. Our SOC 2 Type II audit results speak for themselves and demonstrate our commitment to protecting ourselves and the companies we serve.
Although we have received our SOC 2 Type II attestation report, we are committed to continuously improving our systems and processes in order to keep our data secure. We approach security with the same mindset that we approach the development of our own product — never stop improving. If you’d like to learn more about CaptivateIQ and how we serve our customers, please reach out to us!