Connectifi...Now SOC 2 Compliant

We are happy to announce that Connectifi is SOC 2 Type 2 compliant as of August 2024! Our audit was completed by The Johanson Group.

But what is SOC 2?

In today's digital landscape, companies are handling more personally identifiable information (PII) and other user data than ever before. With so much data stored and shared between platforms, it’s imperative that a standard be set for companies to adhere to when handling user data.

In 2010, the American Institute of Certified Public Accountants (AICPA) introduced a new auditing standard SSAE 16; included in this were new reports that would soon be know as the Service Organization Control (SOC) 1, 2, and 3 reports. In 2017, these standards were updated in SSAE 18, which are still used today. SOC 1 focuses on controls for financial statements and reporting; SOC 2 focuses on the handling of user data; and SOC 3 would be a parsed version of SOC 2 reports meant for public consumption. Most relevant in tech these days is SOC 2. In the following, we’ll go over what SOC 2 compliance is, how to achieve it, and why its importance in today’s digital world.

What does it mean to be SOC 2 compliant?

SOC reports are reports; the SOC 2 report indicates how a company adheres to the AICPA’s standards for handling data (not exclusive to user data). There is not a badge or piece of paper that says a company has achieved SOC 2 compliance. Instead, external parties can request a company’s SOC 2 report. The report does not say if a company passed or failed their audit; but rather, it provides objective insight into the company’s data handling practices.

There are two types of SOC 2 reports: Type 1 and Type 2. A SOC 2 Type 1 report audits a company at any given point in time. This report takes a significantly shorter period of time to generate than the Type 2 report. SOC 2 Type 2 audits are conducted over time; the time frame can range anywhere between 3 and 12 months.

So how does a company become SOC 2 compliant?

Evaluating Compliance

The SOC 2 report focuses on 5 trust service criteria (TSCs). Within each TSC, there are a number of controls related to each criteria that are evaluated during an audit. The 5 TSCs are:

• Security
  • The security controls cover a company’s practices to protect against unauthorized access to systems and data, and system damage.
• Availability
  • The availability controls cover a company’s methods to minimize downtime, recovery plan, and data redundancy/backup practices.
• Processing Integrity
  • The processing integrity controls deals with the data a company requires function, as well as how that data is ingested, processed, and outputted. How efficiently, accurately, and securely data is handled is also reviewed in this control.
• Confidentiality
  • The confidentiality controls review what confidential data is and how it is stored.
• Privacy
  • Privacy controls cover how a company handles personal information. This includes transparency about data collection methods, obtaining consent prior to collecting data, purpose of the data collection, and how long sensitive data is stored before it is destroyed.

Why it matters

SOC 2 compliance is a gauge as to how well a company adheres to data handling standards set by the AICPA. Having a SOC 2 report available shows a company’s dedication to data privacy and security, especially Type 2 as it is more comprehensive and thorough. But why is this important? The standards set in SOC 2 reports provide companies with guidelines to minimize their exposure to security breaches and data leaks, and generate playbooks for incidents. For end-users, SOC 2 compliance provides transparency to a company’s data handling practices and ensures they permit the collection of their data.

You can request a copy of our SOC 2 Type 2 report by reaching out to us at info@connectifi.co.

Still thinking about security? Check out our security scorecard to see how your integration’s security practices stack up to ours.

‍