At Synder, we’ve always considered customers’ data one of our most valuable assets. Since the company’s beginning, we’ve been focusing on implementing the best data security practices to ensure that your data is safe with us. That’s why we’re thrilled to announce that Synder is now SOC 2 Type 2 compliant.
The journey to obtain SOC 2 Type 2 compliance has been long but gratifying, and today we’d like to take some time to explain what it is and what it means to Synder and our customers.
What is a SOC report?
In the current landscape, sensitive customer information is exchanged in every digital interaction across your organization and third parties. Naturally, this data is prone to internal and external threats that need to be mitigated with the help of thorough security features, certifications, and compliance with security standards.
In order to create better ways to manage and store sensitive information, the Association of International Certified Public Accountants (AICPA) came up with a series of requirements called Systems and Organizations Controls (SOC) that explain in detail how organizations should manage this data. Since then, the SOC has become the gold standard of security for companies using cloud-based storage worldwide.
There are two main types of SOC reports that are based on the services provided by an organization:
- SOC 1 – developed for organizations whose services impact or may impact their clients’ financial reporting, and focuses on internal controls;
- SOC 2 – developed for organizations that hold, store, or process information of their clients, that is, addresses the controls relevant for operations and compliance and focuses on how secure and protected customer data is. SOC 2 reports are private as they outline test procedures and test results in detail, which means they are typically shared only with customers and prospects under an NDA.
What is SOC 2?
SOC 2 is a voluntary compliance standard that shows an organization’s security practices and protocols are strong enough to ensure the security of customer data. Security measures are evaluated based on five trust services criteria or principles:
- Processing integrity. This principle checks how accurately an organization’s systems process information and if this organization adheres to data processing and quality assurance protocols. Basically, this principle certifies that the system doesn’t produce errors, and in cases where errors occur, they’re promptly detected and corrected. Processing integrity is extremely important for financial services companies, such as Synder, as they’re expected to provide consistent, accurate and timely data to their clients.
- Availability. The availability principle looks at how well an organization monitors network performance and responds to incidents. Here AICPA focuses on how reliably active the network is and how quickly the issues are resolved.
- Security. This fundamental principle verifies that an organization’s systems are protected (both physically and logically) against unauthorized access, which may result in data loss or theft, misuse of software, etc. The security principle typically assesses web application firewalls (WAFs), two-factor authentication and intrusion detection.
- Confidentiality. The confidentiality principle ensures the access and disclosure of data is restricted with the help of data encryption and access control. The principle covers the agreements between an organization and its customers on how the data may be used, who has access to it, and how it’s protected.
The objective of SOC 2 is to standardize security policies and procedures, enhance regular compliance activities and, eventually, reduce risk.
SOC 2 can’t be conducted once just for audit purposes – it’s the whole framework aimed at standardizing and scaling processes, and prioritizing processing integrity, customer data security, confidentiality, privacy, and ensuring systems’ availability. Depending on how the controls are evaluated, the SOC 2 reports are divided into two types:
- Type 1 – evaluates an organization’s security controls at a single point in time.
- Type 2 – assesses how effective those controls are over an extended period of time. In this case, the operations are observed for a minimum period of 3 months.
As you can see, the two types differ in thoroughness and the level of assurance, and we’re proud to say that Synder is SOC 2 Type 2 compliant.
What did Synder do to become SOC 2 compliant?
The road to SOC 2 compliance wasn’t easy. Our team underwent a 3-month independent audit by a third-party auditor, Insight Assurance LLC, which verified we’re securely managing our customers’ data.
To successfully pass through the review process, we’ve added Vanta to our tech stack. Vanta is an automated security and compliance platform that identifies security flaws and privacy gaps in a company’s security. The platform was connected to Synder’s core systems and since then has been continuously monitoring our cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts. Our staff, new and existing employees, went through virtual security training to minimize security risks.
Thanks to Vanta, we’ve been able to scale our security practices and automate compliance for the industry’s most sought after standards. Check out Synder’s Vanta Trust Report to see the real-time status of our security tests and controls, and get access to security documentation if required.
Why is Synder’s SOC 2 Type 2 compliance important?
It’s important to note that SOC 2 compliance isn’t mandatory. Synder went through the rigorous and time-consuming independent audit process to ensure top-level security and compliance, as well as demonstrate our commitment to protect our customer sensitive data. We’ve aligned our security efforts with AICPA’s trust principles and are honored to feature their badge.
Synder team knows how important trust and security are for building long-lasting customer relationships. Achieving SOC 2 compliance is an important milestone that required concerted effort, but security is a continuous process. We’re staying in line with ever-evolving security and data management requirements, and our willingness to undergo an independent audit reaffirms this commitment. Our customers can rest assured – their data is safe.