As the way we use the internet evolves, it has gotten easier for users to access their data from anywhere in the world. But there’s also a downside to this level of access: There’s a growing threat to stored data. You don’t have to look far to find news about the latest data breach or accidental leak. Extra precautions are needed to ensure data security. This is where SOC 2 compliance comes in. If you are handling data in the cloud, you need to be compliant. If you are compliant, you show your customers you care about their data. And you will get more customers in return. From email addresses to sensitive financial information, end users trust companies to manage their data properly. Here’s what you need to know about SOC 2 compliance in order to grow your business and maintain customer trust.
Why SOC 2 Compliance mattersEstablished by the American Institute of CPAs (AICPA), SOC 2 was created as a way to give SaaS companies a standardized guideline when setting up data-protection requirements and processes. SOC 2 is made up of five trust-service principles: [Source] Primarily, SOC 2 compliance will give you peace of mind that your procedures and processes do what they say: safeguard your customers’ data. And there are two other benefits:
- SaaS providers that are SOC 2 compliant are more trusted than those without it because certification shows a commitment to data security.
- Companies with lots of data to handle—especially enterprise companies with thousands or even millions of customers—are more likely to choose SOC 2-compliant SaaS providers to work with.
SOC 2 compliance mitigates security risks over a period of timeThere are two types of SOC 2 reports: Type I and Type II. Type I reports take less time to prepare for and obtain because they only look at how good a job you’ve done at setting up standard procedures for your business. For example, Type I reports will look to see whether your procedures can handle issues like data breaches. Type I reports don’t verify whether these procedures actually work, just that you have a plan. Also, Type I audits only check for compliance at a single point in time. Type II audits, on the other hand, check not only that your procedures are in place, but that they are successful and supported for a period of time (six months, for example). The audit process to get this level of certification is meticulous and much stricter than Type I, but the benefits are greater. According to Blissfully, a SaaS management platform, Type II audits are “more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on.” To have third-party auditors agree that your data security measures meet a high standard is pretty powerful. Companies are much more likely to want to invest and do business with you.
Make SOC 2 work for youIf the decision about which SaaS provider comes down to you and a competitor, having SOC 2 Type II compliance may be the determining factor. Emphasizing that you are SOC 2 compliant and stating the audit type can be a game changer, especially as discerning companies will look for Type II. Eighty-eight percent of consumers research their options online before they buy, so be sure highlight your SOC 2 compliance on your website as well. Intercom has a page on their website dedicated to their security measures, which contains details about their SOC 2 compliance: Much like Intercom, when you obtain your SOC 2 Type II report, include the following information on your website:
- Which of the five trust-service principles you adhere to
- For each principle, a summary of the procedures you follow internally
- Contact information for your security team so people know where to go for more information
How 6 Companies Went From VC Funding to Profitability
SOC 2 compliance allows you to show your strengthsEven though there are five trust-service principles, SaaS companies aren’t required to use them all to safeguard data. For example, if a SaaS business is primarily focused on data storage, protecting systems against unauthorized access is their priority. As such, Security is the principle their SOC 2 audit will focus on. Before your SOC 2-compliance audit takes place, consider how your business practices relate to the five criteria. Then decide which areas you’ll focus on:
- If you offer CRM services, then all five principles might apply to you.
- If you offer sales and marketing services, then Confidentiality, Security, and Availability might apply to you.
- If you offer analytics software services, then Processing Integrity, Security, and Availability might apply to you.
- The kind of security Auth0 had in place to prevent data breaches
- Whether services would be constantly available
How to get startedMeeting customers’ needs is critical to your success, so use their insights to ensure that your SOC 2 compliance is relevant to them. There are many ways for to determine what customers need. Here are a few examples to try:
- Review follower comments on social media. Use your Facebook business page to see the types of comments your audience leaves on posts, the types of content they share on your page and their own, and the type of positive or negative feedback they leave.
- Review the types of questions or concerns callers share with your customer support team. Customers call into support for specific reasons, such as when they’ve encountered an issue or found that a feature doesn’t work the way it should, or if they’re unsatisfied with the service. Use this feedback to understand how you can serve them better.
- Email a short survey based on the above to narrow down customer needs. Use multiple-choice questions followed by open-ended fields so customers can explain the reason for their choices.
- Use your website’s lead-generation forms to understand customer needs. When leads share their names and email addresses, use the confirmation screen to ask one multiple-choice question. Include the top four or five needs customers have, and ask new leads to share which one is most important to them.
- Conduct a feature value analysis. Look at how customers use your product to see what features are most important to them. How customers use you product will tell you how you can best support them.
Regular audits ensure SOC 2 principles are met consistentlyAs technology evolves and threats—both known and unknown—become savvier, it’s important to conduct regular audits of the principles your business follows. At Auth0, they’re continuously deploying new releases—three to four times a day to be exact. That means they have processes in place to track every release. To adhere to the procedures they’ve committed to in the Security principle of their SOC 2 Type II report, Auth0 requires that another team member approve updates before moving anything from staging to production. In addition, Auth0 continuously runs three types of tests—unit, function, and HTTP—to ensure that the code, user interface, and APIs are running the way they should. And since these tests are run using Slack integrations, there’s also a historical log of what ran, and when. When you develop policies and procedures for your SOC 2 Type II report and audit, use the following questions as a guide. Keep in mind that these questions apply to all principles:
- What parameters do you have to determine if there’s a real threat that needs you to take action and resolve?
- Who is notified first, and what will they do?
- How do you define what’s normal for your cloud storage environment?
- What types of threats are there on cloud environments?
- When are customers made aware of the issue?
- What kinds of information will you send customers?
- How often will you communicate with customers as the issue is being resolved?
- How will you share information with customers (visa email, text, or social)?
- Where is documentation stored?
- Is it easily accessible for review by anyone on the team?
- Is there a place for customers to track your change log?
How to prepare for your auditThere are four steps to take as you get ready for your audit:
- Set the objectives of the audit. This is where you figure out what type of audit you need: SOC 2 Type I or Type II. If you want to test that the procedures you currently have in place are designed properly, get a Type I audit. If you want to go further and test whether your procedures function the way you’ve designed them to over a period of time, get a Type II audit.
- Address concerns. Depending on your industry, brush up on the relevant local, state or federal rules, policies and regulations. The goal here is to show in your documentation that you’re aware of the rules that govern how your business operates and have accounted for them.
- Create process documentation. Write down every detail of the procedures you follow, since your documentation is used by CPAs to determine whether you’re ready for SOC 2 certification. Use the 11 questions above as a starting point for creating your procedures guides.
- Assess your readiness for the actual audit. Go through every section of your documentation to be sure you’re ready for any threats you might experience. This dry run also gives you a chance to identify issues and resolve them in advance of the actual audit.