Brands and agencies looking for software partners might have noticed that many are sporting a new certification: SOC 2 compliance.
SOC 2 has been popular among the major accounting firms, where companies as big as PricewaterhouseCoopers, Ernest & Young, and more have recently announced that they are SOC 2 compliant. Increasingly, though, the certification is spreading to e-commerce.
At this point, as the CTO of Intentwise, I feel that any e-commerce brand or agency looking to store data absolutely needs to prioritize software providers that are SOC 2 compliant.
What is SOC 2 compliance?
“SOC” stands for “System and Organization Controls,” and it is a set of rules, outlined by the American Institute of CPAs, devised for companies that handle customer data. Essentially, SOC 2 compliant companies are following the highest standards of privacy and security around customer data.
At Intentwise, we became SOC 2 compliant earlier this year. Because we organize and store customer data for brands and agencies as a part of our regular work, we wanted to demonstrate how safe and secure our processes are.
We live in an era of increased vigilance around data privacy, especially in the ad world. SOC 2 standards are great because they ensure that your chosen software provider is as committed to protecting your customers as you are.
Yes, no company intends to create a process that doesn’t measure up to the highest security standards. But SOC compliance applies an extra—and often needed—layer of scrutiny. What SOC does is force companies to step back and ask themselves: Have I overlooked something?
What is the difference between Type 1 and Type 2 compliance?
As soon as you begin to look into SOC 2 compliance, you might notice that there are actually two SOC 2 certifications: Type 1 and Type 2.
- Type 1 compliance provides a snapshot of SOC 2 compliance at a single point of time. You receive SOC 2 Type I compliance when you prove that you have adjusted all of your security and privacy practices to meet the SOC 2 standards.
- Type 2 compliance measures your recurring commitment to these practices. Basically, Type 2 means that the processes your company devised in order to become SOC 2 compliant are actually being followed. You only receive Type 2 certification six months after first receiving SOC 2 Type 1 compliance.
Okay, but what does SOC 2 actually look like?
At Intentwise, coming into compliance was a 4-5-month-long process. We nominated 8-9 employees to work part time on studying our data practices, and we hired an outside auditor to evaluate it for us.
As part of our SOC 2 journey, we focused on the following:
- Multi-factor authentication: Require anyone who comes into contact with sensitive data to use multi-factor authentication for all accounts.
- New employee security: We mandated that new employees encrypt their computer hard drives and add an automatic screen lock to their laptop, among other security measures.
- VPNs: We implemented a VPN system throughout the company.
- Data encryption. We encrypted all of our databases on PostgresSQL and Amazon Redshift. In order to ensure our data warehouses were fully encrypted, we had to pause our data operations for 8 hours last year, beginning one Friday night. It was our longest planned outage in 6 years of operations, but it was necessary for keeping our customer data safe.
- Code review. We wanted to be sure that the number of employees who had access to our production systems—where the customer data actually lives—was minimal. So we limited the number of people who could actually push out a new line of code to the Intentwise platform.
Want to see what a SOC 2 audit looks like?
Ultimately, after several weeks of auditing, we found that many of our pre-existing processes and privacy practices already cleared the threshold for SOC 2 compliance. In the end, we only made a few changes to our procedures in order to receive the SOC 2 certification.
But I’m glad that we chose to get a SOC 2 audit, because it gives peace of mind—both to us at Intentwise and to our clients—that we are keeping sensitive data safe. A SOC 2 certification can help Intentwise build trust with our clients and partners, demonstrate our commitment to information security, and manage risk effectively.
If you want to see what a SOC 2 audit looks like, download ours below. At Intentwise, we take data security seriously, and I think our SOC 2 report proves that.