Information is the lifeblood of many organizations, and keeping it secure has become a critical concern for IT departments across the world. This is especially true as organizations continue to move critical business functions – including data hosting, CRM systems, and other SaaS applications – into the cloud.
We take the security of our customers’ data very seriously. That’s why we're pleased to announce that our managed cloud solution has been SOC 2 Type II certified by an independent third-party auditor to ensure compliance to industry standards and best practices for information security and confidentiality.
What is SOC 2?
Developed by the American Institute of CPAs (AICPA), System and Organization Controls (SOC) are a set of criteria that govern a wide range of security controls, including:
- Technical controls (access controls, data encryption, firewalls, etc.)
- Corporate controls (physical security, personnel security, corporate governance, etc.)
- Legal controls (contract execution, NDAs, intellectual property, etc.)
- Software development controls (secure source code, change management, quality assurance, etc.)
SOC 2 certification is optional, but also highly important for any vendor that stores data in the cloud to minimize their risk and reduce exposure to that data. Companies who wish to be certified agree to the compliance audits conducted by a registered CPA who must be independent of the provider being audited. The resulting reports, which are unique to each vendor, outline the specific business practices and controls the provider has put in place to manage the exchange and security of data.
There are two levels of SOC 2 certification. Type I describes a provider’s systems at a point in time (not continuous), with a focus on the description, documentation, and design of adequate controls. We received Type I certification for both our managed cloud environment, as well as our on-premises/private cloud solution, in March 2018.
The more stringent Type II certification that we recently received details the implementation and operational effectiveness of the security controls in our managed cloud environment over a period of time (usually several months) as judged by an independent auditor. This audit also covered a number of controls that are shared with our on-premises/private cloud offering, including technical, corporate, and software development controls.
The Many Benefits of SOC 2 Certification
SOC 2 Type II compliance is about putting well-defined security policies, procedures, and practices in place – not about taking shortcuts just to get another spec added to a data sheet. The process to obtain this certification takes about a year and allows us to double check all of the security measures we obsess about, plus get suggestions on ways we can make them even stronger.
Moving operations to the cloud brings many benefits, including fewer infrastructure management responsibilities and costs that scale with computing requirements. Unfortunately, if IT personnel don’t know what security measures to insist on, this migration can also bring certain risks that can leave their organization vulnerable to attacks, such as data theft, extortion, and malware installation. By doing business with vendors that are SOC 2 Type II certified, IT security teams can sleep easier knowing that they are working with vendors that have put the proper long-term security practices in place to ensure the security of their information resources.
About the Author:
Bob Laurent is a Sr. Director of Product Marketing at DataRobot. Prior to DataRobot, he ran product marketing at Alteryx, where he was responsible for driving awareness and growing a loyal customer base of empowered data analysts. He has more than 20 years of marketing, media relations, and telecom network engineering experience with Fujitsu and NYNEX (now Verizon). Bob resides in Dallas with his wife and two boys, and holds a Bachelor of Science degree from Clarkson University, plus an MBA from New York University's Stern School of Business.