Storing Customer Data: Our Journey to SOC 2 Certification
By Joel Friedman
Dec 07, 2021
While you work through your to-do list, chances are you’re paying more attention to your internet speed than the strength of your system security infrastructure. When it comes to purchasing SaaS products, system security is just as important a consideration as functionality in our everyday lives — if not more.
At Aclaimant, we go above and beyond to show our customers that security is not just an afterthought. That’s why we took an essential step forward on our security journey by obtaining our SOC 2 Type II certification.
What is SOC 2 Compliance?
SOC 2 is a framework of five key trust services criteria designed by the American Institute of Certified Public Accountants (AICPA) for service providers to ensure the protection of sensitive and private information is well managed. Today, these trust services criteria are applicable to most SaaS companies.
This framework was designed by the AICPA as a bar to which organizations should hold themselves in order to convey the importance of security. The SOC 2 certification has become the accepted standard enterprise SaaS companies can use to validate the services they provide are secure and trustworthy.
Why SOC 2, and Why Now?
At Aclaimant, we have always taken security seriously. As the CTO and acting CISO, the security of Aclaimant is one of my main areas of focus. This mentality has become core to how I think about building systems, and strong security remains one of our founding principles.
In the early days of the company, we used to write up our own security Q&A assessment. An exponential increase in average contract size led to more outgoing requests for security questionnaires and assessments than ever before. With SOC 2 reports, we could handle this influx of data processing challenges for multiple user entities.
The processes that are necessary to complete a SOC 2 audit reduce risk, establish foundational controls auditors look for, and offer standards-based proof for enterprise security teams.
Aclaimant’s Accelerated Path Forward
While it can sometimes take a company six to 12 months to prepare for their first SOC 2 audit, we opted for a faster timeline while still ensuring a quality, accurate process. To accelerate the process, we needed a solid understanding of the certification process and informational tools to aid in the process.
- Step 1: Understanding the certification. We began our journey by gathering insights from other industry experts within our network and researching and educating ourselves about the undertaking. We also interviewed auditors to provide an overview of the process (and scouted a new audit firm).
- Step 2: Creating clear and comprehensive policies. We then identified the right tool to help generate policies based on recommendations and individual needs. Since all employees must read and sign all policies on a yearly basis, we review policies annually and point out key takeaways for each role.
- Step 3: Collecting supporting documentation. Supporting documentation is used to indicate to the auditors that we implemented and followed the necessary controls. Given the myriad of tools we used and ongoing control monitoring, the process took approximately two weeks to complete. We were even able to perform it remotely (we are a remote-first company, after all).
5 Key Takeaways for Business Leaders Seeking SOC 2 Certification
With trust at the core of our company mission, Aclaimant has now earned SOC 2 Type II certification. Completing our SOC 2 examination is essential to maintaining the trust of our valued customers. Now that we’re certified, we can continue to show our clients how effectively we secure the privacy, confidentiality, and integrity of the data placed in our hands.
As you embark on your own SOC 2 certification journey, here are a few things to keep in mind.
1. Don’t start from scratch
Policy templates can be easily found online. Be sure to find a tool to help generate policies based on the recommendations and needs of your company.
2. Simplify the onboarding process with a single sign-on (SSO)
SSO simplifies the onboarding process by allowing users to securely authenticate across multiple applications and websites with just one set of credentials.
3. Build checklists
Ensure you know which tools employees are using, even if they are added during the employee’s tenure. When an employee leaves, use the checklist to lock down and remove access to all tools within 24 hours of the employee’s departure.
4. Keep track of vendors to prevent unauthorized access
With any compliance undertaking including GDPR and CCPA, it is essential to perform performance assessments on your vendors or other service organizations. Regular reviews will keep customer data safe and help prevent security incidents.
5. Use beneficial tools
From GSuite to Vanta and Blissfully, effective tools helped our team understand how to efficiently put controls in place and monitor many of the controls.
If you or your company are looking to go through the SOC 2 process and looking for some guidance, please reach out to us at email@example.com.