Information security is a reason for concern for all organizations, including those that outsource key business operations to third-party vendors (e.g., SaaS, cloud-computing providers). Rightfully so, since mishandled data—especially by application and network security providers—can leave enterprises vulnerable to attacks, such as data theft, extortion and malware installation.
SOC2 overview
SOC 2 is an auditing procedure that ensures we manage our data in a way that allows us to protect the interests of both our company and the privacy of our clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.
SOC2 is also a compliance standard, designed for service companies/organizations, specifying the means a service company should implement in order to protect customer’s data and information.
The standard was developed by the American Institute of Certified Public Accountants (AICPA).
According to the SOC2 standard, and there are five principles an organization should follow (also called “the trust service principles”): Confidentiality, Processing Integrity, Availability (Also referred to as the CIA triad), Security and Privacy.
The certification
There are two types of SOC2 reports: Type one, intended to describe the service organization’s control environment, and Type two, which specifies that a certified external auditor has tested the controls of the service organization and the result of the audit.
The purpose of the certification is to allow external parties to rest assured that the service organization has implemented sufficient controls designed to ensure that it follows all five trust principles.
We have been certified on June 1st, 2022 in SOC2 Type 2 on the Security Principle (one of the 5 principles), for Cheq Paradome only.
The Importance of SOC 2 Compliance
While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its role in securing our data cannot be overstated.
Cheq will now undergo regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application security, our security controls (DDoS protection, content delivery through CDN, load balancing and Attack Analytics) set up on our platforms.
The benefits for us as a company
Now that CHEQ is SOC2 compliant, our customers can rest assured that their information is safe with us, and that we do everything that is in our power to protect them and their business.
The SOC2 certification commands us to perform controls not only on our own procedures but also on the third-party vendors that assist us in our mission to protect you.
The Responsibilities of SOC 2 on us as Employees
We at cheq have a big team from all departments working all year long to upkeep our compliance. Members of those teams play a big part in the process, they are led by the cyber security team, led by the Director of Cyber Security, under the authority of the company CTO and include RnD, QA, HR, legal and other business units as well. Our leadership will lead the company onward to upkeep our posture by maintaining and fixing SOC2-related issues throughout the year, but it is all our responsibility to remember we always need to stay compliant, and by remembering this - all our actions will alway be led by the compliance’s guidelines.
SOC 2 Future Plans
We are planning on certifying clickcease and paradome next year (2023) on more than only the security principle. This will also allow growth in Clickcease and set it as a strong and secure and industry-recognized product.
SOC 3®— SOC for Service Organizations: Trust Services Criteria for General Use Report
This report is designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Because they are general use reports, SOC 3 reports can be freely distributed.