We Are SOC 2 Type I & II Certified!
SOC 2 reports are the result of an official SOC 2 audit. These reports attest that a service organization’s solution has been audited by a Certified Public Accountant (CPA), using standards laid down by the AICPA, with regard to one or more specific attributes:
System resources must be defended against outside access to comply with the principle of security. Access controls must adequately resist attempts at intrusion, device manipulation, unauthorized deletion, data misuse, or improper modification and release. An auditor looks at IT security tools like WAF (web application firewalls), encryption and intrusion detection in addition to administrative controls such as background checks and authorizations.
If access to the data is limited to certain individuals or organizations, it must be treated as confidential. Data protected by the principle of confidentiality could include anything the user submits for the eyes of company employees only, including but not limited to business plans, internal price lists, intellectual property and other forms of financial information. An auditor will take into account data encryption, network firewalls, software firewalls and access controls.
The process, product, or service must remain available per the agreement between user and provider. Both parties either explicitly or implicitly agree on the appropriate level of availability of the service. A system need not be evaluated for efficiency or accessibility to meet the trust principle of availability. To audit availability, an auditor must consider the reliability and quality of the network, response to security incidents and site failover.
What is a SOC 2 Type 1 Audit?
A SOC 2, Type 1 audit is performed by a third-party Certified Public Accountant (CPA) firm. Polices, procedures, processes, documentation, etc., are evaluated based on the standard SOC 2 Type 1 controls. The audit period is a set point in time. For example, does the organization comply with the SOC 2 Type 1 standards? Note that this audit only needs to be completed by an organization once and does not expire.