IRIS CARBON® – our SaaS disclosure management and XBRL | iXBRL reporting platform – is now SOC 2 compliant for Type I and Type II. We’re proud to display our SOC 2 badge, which is testimony to our commitment to keeping your data secure. It is our pride to feature this badge.
What’s SOC 2 Compliance?
A SOC 2 or Service Organization Control 2 is a technical audit process that is a component of the American Institute of CPA (AICPA)’s Service Organization Control reporting platform. The audit is meant to verify if a technology-based service organization (read SaaS company) manages the safety and privacy of its client information, which it stores in the cloud. The information needs to be safeguarded in accordance with the trust criteria of security, availability, processing integrity, confidentiality, and privacy.
A SOC 2 audit is of two types – Type I and Type II.
Type I: A Type I audit report involves the management’s description of a service organization’s systems and the service auditor’s description of its suitability to meet the trust criteria or principles.
Type II: A Type II audit report goes a step further to describe the operational effectiveness of the service organization’s systems. This report mentions how the organization managed its systems for a minimum of six months.
The 5 Trust Criteria Involved
Security: Security involves protecting information and systems from unauthorized access through measures such as firewalls and two-factor authentication. These access controls help protect systems from unauthorized removal or theft of data, system abuse, and the misuse of software.
Availability: Availability pertains to the maintenance and accessibility of products and services as agreed upon – through acceptable levels of network performance, site failovers, handling of security incidents, and mitigation of external threats. The product or service needs to be accessible for operation, monitoring, and maintenance at all times.
Processing integrity: Processing integrity is about ensuring that data is processed and operations are conducted as expected. Data processing operations need to be authorized, accurate, complete, and timely. The implication here is not just for data integrity but also for monitoring of data processing activity as well as its review.
Confidentiality: Confidentiality involves restricting data access to a specified set of persons or entities. Confidentiality requires encryption as a control mechanism during data transmission, as well as access controls that safeguard information from being accessed by unauthorized personnel.
Privacy: Privacy is about an organization’s ability to protect sensitive personal information related to ethnicity, religion, gender, and health. The principle of privacy relates to the collection, use, retention, disclosure, and disposal of sensitive information in keeping with an entity’s privacy policy as well as the AICPA’s Generally Accepted Privacy Principles (GAPP).
Why Comply With SOC 2?
SOC 2 compliance involves a SaaS company setting up systems that ensure customer data is safeguarded from unauthorized or malicious activity. The company needs to be alerted to the possibility or incidence of customer data being accessed without authorization.
Meeting SOC 2 compliance means establishing processes and practices that guarantee oversight across a company, guaranteeing customers that their data is protected from any unusual, unauthorized, or suspicious activity.
SOC 2 compliance gives the clients of a SaaS provider an assurance that the provider has the infrastructure, tools, and processes to safeguard their data from unauthorized access.