Finance Basics

What You Need to Know About SOC 2 Compliance

[cover image source]

As the way we use the internet evolves, it has gotten easier for users to access their data from anywhere in the world. But there’s also a downside to this level of access: There’s a growing threat to stored data. You don’t have to look far to find news about the latest data breach or accidental leak.

Extra precautions are needed to ensure data security. This is where SOC 2 compliance comes in. If you are handling data in the cloud, you need to be compliant. If you are compliant, you show your customers you care about their data. And you will get more customers in return.

From email addresses to sensitive financial information, end users trust companies to manage their data properly. Here’s what you need to know about SOC 2 compliance in order to grow your business and maintain customer trust.

Why SOC 2 Compliance matters

Established by the American Institute of CPAs (AICPA), SOC 2 was created as a way to give SaaS companies a standardized guideline when setting up data-protection requirements and processes. SOC 2 is made up of five trust-service principles:

[Source]

Primarily, SOC 2 compliance will give you peace of mind that your procedures and processes do what they say: safeguard your customers’ data. And there are two other benefits:

  1. SaaS providers that are SOC 2 compliant are more trusted than those without it because certification shows a commitment to data security.
  2. Companies with lots of data to handle—especially enterprise companies with thousands or even millions of customers—are more likely to choose SOC 2-compliant SaaS providers to work with.

To get SOC 2 certification, third-party auditors must determine that a company’s systems, processes, and reporting adhere to the any of the five trust-service principles. It takes a lot of time and effort to get certified, but more and more SaaS companies are taking the lead to gain user trust by making their SOC 2 compliance known.

An example is Intercom, a platform designed to make B2C messaging easier. They recently announced that they’re now SOC 2 compliant. One of their business goals is to create innovative products, but they also want to make sure their customers trust these products. In line with SOC 2 compliance, Intercom plans to conduct annual reviews to make sure that their procedures are enough to keep customer data safe and that they consistently meet customers’ needs and expectations.

SaaS providers rely on their customers to help them grow. It doesn’t matter how creative and cutting edge the products are; if customers can’t trust that their data is safe, they won’t sign up. Companies’ commitment to security, availability, processing integrity, confidentiality, and privacy will determine your success. In short, SOC 2 compliance is the bridge between a tech innovation and building trusting relationships with customers.

Let’s take a closer look at what businesses need to know about SOC 2 compliance.

SOC 2 compliance mitigates security risks over a period of time

There are two types of SOC 2 reports: Type I and Type II. Type I reports take less time to prepare for and obtain because they only look at how good a job you’ve done at setting up standard procedures for your business. For example, Type I reports will look to see whether your procedures can handle issues like data breaches. Type I reports don’t verify whether these procedures actually work, just that you have a plan. Also, Type I audits only check for compliance at a single point in time.

Type II audits, on the other hand, check not only that your procedures are in place, but that they are successful and supported for a period of time (six months, for example). The audit process to get this level of certification is meticulous and much stricter than Type I, but the benefits are greater. According to Blissfully, a SaaS management platform, Type II audits are “more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on.” To have third-party auditors agree that your data security measures meet a high standard is pretty powerful. Companies are much more likely to want to invest and do business with you.

Make SOC 2 work for you

If the decision about which SaaS provider comes down to you and a competitor, having SOC 2 Type II compliance may be the determining factor. Emphasizing that you are SOC 2 compliant and stating the audit type can be a game changer, especially as discerning companies will look for Type II. Eighty-eight percent of consumers research their options online before they buy, so be sure highlight your SOC 2 compliance on your website as well.

Intercom has a page on their website dedicated to their security measures, which contains details about their SOC 2 compliance:

Much like Intercom, when you obtain your SOC 2 Type II report, include the following information on your website:

  • Which of the five trust-service principles you adhere to
  • For each principle, a summary of the procedures you follow internally
  • Contact information for your security team so people know where to go for more information

As 77% of the U.S. population have a social media profile, go one step further and share your SOC 2 status on sites like Twitter and Facebook. That way, as your audience researches their options on platforms where they spend the most time, your announcement stands out and draws them in to learn more about your data-security standards:

[Source]

Get creative with how you share your compliance. You want your audience to see it, so find out where they spend the most time online and target them there. Your promotion strategy might include social media and industry platforms.

Report Download:

How 6 Companies Went From VC Funding to Profitability




SOC 2 compliance allows you to show your strengths

Even though there are five trust-service principles, SaaS companies aren’t required to use them all to safeguard data. For example, if a SaaS business is primarily focused on data storage, protecting systems against unauthorized access is their priority. As such, Security is the principle their SOC 2 audit will focus on.

Before your SOC 2-compliance audit takes place, consider how your business practices relate to the five criteria. Then decide which areas you’ll focus on:

  • If you offer CRM services, then all five principles might apply to you.
  • If you offer sales and marketing services, then Confidentiality, Security, and Availability might apply to you.
  • If you offer analytics software services, then Processing Integrity, Security, and Availability might apply to you.

Add in what your customers expect from you, and the principles most relevant to you become clearer. For example, find out whether customers want access to features like data recovery, two-factor authentication for their end users, or end-to-end encryption. The answers will tell you which principles to focus on.

When Auth0, an authentication and authorization platform, went for their SOC 2 report, they gave some thought to what their customers expected from them. They found that customers wanted to be sure of two things:

  • The kind of security Auth0 had in place to prevent data breaches
  • Whether services would be constantly available

For Auth0 this meant that Security and Availability were the two principles they chose to be audited on to get their SOC Type II report.

How to get started

Meeting customers’ needs is critical to your success, so use their insights to ensure that your SOC 2 compliance is relevant to them.

There are many ways for to determine what customers need. Here are a few examples to try:

  • Review follower comments on social media. Use your Facebook business page to see the types of comments your audience leaves on posts, the types of content they share on your page and their own, and the type of positive or negative feedback they leave.
  • Review the types of questions or concerns callers share with your customer support team. Customers call into support for specific reasons, such as when they’ve encountered an issue or found that a feature doesn’t work the way it should, or if they’re unsatisfied with the service. Use this feedback to understand how you can serve them better.
  • Email a short survey based on the above to narrow down customer needs. Use multiple-choice questions followed by open-ended fields so customers can explain the reason for their choices.
  • Use your website’s lead-generation forms to understand customer needs. When leads share their names and email addresses, use the confirmation screen to ask one multiple-choice question. Include the top four or five needs customers have, and ask new leads to share which one is most important to them.
  • Conduct a feature value analysis. Look at how customers use your product to see what features are most important to them. How customers use you product will tell you how you can best support them.

Compile and analyze the data from your research to understand what your audience and customers care about the most. Incorporate this insight into your procedures and choose which principles to focus on.

Regular audits ensure SOC 2 principles are met consistently

As technology evolves and threats—both known and unknown—become savvier, it’s important to conduct regular audits of the principles your business follows.

At Auth0, they’re continuously deploying new releases—three to four times a day to be exact. That means they have processes in place to track every release. To adhere to the procedures they’ve committed to in the Security principle of their SOC 2 Type II report, Auth0 requires that another team member approve updates before moving anything from staging to production.

In addition, Auth0 continuously runs three types of tests—unit, function, and HTTP—to ensure that the code, user interface, and APIs are running the way they should. And since these tests are run using Slack integrations, there’s also a historical log of what ran, and when.

When you develop policies and procedures for your SOC 2 Type II report and audit, use the following questions as a guide. Keep in mind that these questions apply to all principles:

  • What parameters do you have to determine if there’s a real threat that needs you to take action and resolve?
  • Who is notified first, and what will they do?
  • How do you define what’s normal for your cloud storage environment?
  • What types of threats are there on cloud environments?
  • When are customers made aware of the issue?
  • What kinds of information will you send customers?
  • How often will you communicate with customers as the issue is being resolved?
  • How will you share information with customers (visa email, text, or social)?
  • Where is documentation stored?
  • Is it easily accessible for review by anyone on the team?
  • Is there a place for customers to track your change log?

The answers to questions like these lay the foundation for your SOC 2 report and help you anticipate and plan for threats.

How to prepare for your audit

There are four steps to take as you get ready for your audit:

  • Set the objectives of the audit. This is where you figure out what type of audit you need: SOC 2 Type I or Type II. If you want to test that the procedures you currently have in place are designed properly, get a Type I audit. If you want to go further and test whether your procedures function the way you’ve designed them to over a period of time, get a Type II audit.
  • Address concerns. Depending on your industry, brush up on the relevant local, state or federal rules, policies and regulations. The goal here is to show in your documentation that you’re aware of the rules that govern how your business operates and have accounted for them.
  • Create process documentation. Write down every detail of the procedures you follow, since your documentation is used by CPAs to determine whether you’re ready for SOC 2 certification. Use the 11 questions above as a starting point for creating your procedures guides.
  • Assess your readiness for the actual audit. Go through every section of your documentation to be sure you’re ready for any threats you might experience. This dry run also gives you a chance to identify issues and resolve them in advance of the actual audit.

Of the two types of SOC 2 compliance audits, SOC 2 Type II takes the longest. Start preparing months before your scheduled audit to give yourself enough time to identify and fix issues and ensure that your procedures adequately support your principles. Take time to find opportunities to improve security, upgrade documentation, and share the updates with your team.

Data security is the key to business success

Companies like Intercom and Auth0 have demonstrated the value of SOC 2 compliance. While all of their growth and success isn’t purely a result of the certification, it’s played a role in helping them attract large enterprise businesses. SMB and enterprises that rely on your services need to be confident that you are prepared for security threats. These customers are more likely to choose you and refer you to their network.