Qminder Is Now SOC 2 Type I Compliant
We wanted to share some good news with you: as of 31 March 2021, Qminder has officially completed its SOC 2 Type I examination. Our processes were found to satisfy the SOC 2 standards.
If you’re wondering, “What is SOC 2 Type I, exactly?”, here’s some more good news: we decided to write this short article. We will explain the importance of SOC 2, the actual components involved in getting audited, and the difference between different types of SOC 2 reports.
In short, SOC 2 compliance proves how seriously we take data security. Being compliant with SOC 2 provides our clients with a level of assurance that sensitive customer data will be handled reliably and securely.
With the prevalence of cyber security attacks, identity thefts and data breach incidents, organizations want to be sure that the third-party service providers they use can handle confidential customer data.
SOC 2 Type I is what gives these organizations confidence.
What is SOC 2 Type I?
First things first, let’s decypher this three-letter abbreviation. SOC stands for Service Organization Control, an auditing procedure which ensures that third-party service providers can securely manage customer data.
Developed by the American Institute of CPAs (AICPA), SOC 2 defines five “trust service principles” that providers need to abide by to be considered SOC-compliant:
-
Availability.
-
Confidentiality.
-
Processing integrity.
-
Security.
-
Privacy.
Availability refers to the accessibility of the service provider’s system as stipulated by a service level agreement. The minimum acceptable performance level is agreed upon by both parties.
Availability does not address functionality or usability, but it does deal with the system’s handling of security incidents.
Confidentiality describes the levels of use and access to sensitive information. Network firewalls as well as access control can be used to protect this information.
Processing integrity refers to the system’s ability to achieve its intended purpose, i.e. deliver the right data at the right time. Quality assurance is what helps ensure processing integrity.
Security refers to the system’s ability to protect itself against unauthorized access. IT security tools — such as two-factor authentication, access control and firewalls — help detect intrusion and prevent misuse of customer data.
Privacy describes the system’s use, storage and disposal of personal information. Identifiable information like name, address, social security number and more need an extra level of protection to minimize the probability of identity theft.
So to sum up, SOC 2 report is a certification issued by auditors who assess the service provider’s compliance with the five trust principles.
In Qminder’s case, the auditors assessed our security — the biggest of five SOC principles — and found it to satisfy all requirements.
What is the difference between SOC 2 Type I and SOC 2 Type II?
As you might have guessed, the “Type I” part implies that there’s more.
Indeed, there are two types of SOC reports: SOC 2 Type I, the report for which we got, and SOC 2 Type II.
What’s the difference between them? Which one is better?
SOC 2 Type I assesses the vendor’s suitability with regards to the abovementioned trust principles at a specific point in time. SOC 2 Type II describes the effectiveness of the vendor’s system over time.
SOC 2 Type II certification is issued after observing the service provider’s operations for the period of six months.
So in terms of which one is better, SOC 2 Type II provides even more assurance but it takes time to get audited for it.
To be precise: SOC 2 certification is voluntary. The reason why Qminder, along with many other service providers, choose to get this certification is to make clients sure that all data is handled securely.
Fingers crossed, in six month’s time you’ll be reading another article — about how we received our SOC 2 Type II certification.
In the meantime, you can rest assured that we’ll do our utmost to keep your information safe with us.
