We have always paid close attention to security and privacy, and it's nice to learn that focus has been paying off. I’m happy to announce that Compaas has received SOC 2 Type 1 certification!
What’s that? A SOC 2 audit provides our customers with the assurance that we have policies and procedures in place to protect all of our systems and data. The SOC 2 Type 1 audit investigated our software and systems to confirm our ability to meet a thorough set of security, privacy and compliance criteria. A penetration test is a recommended component of the examination for SaaS providers, and the penetration test includes a scan of all of our servers for possible vulnerabilities.
That’s a lot to dig into, and we passed!
The finished report is a significant accomplishment, because a company's first SOC 2 report requires documenting and formalizing many things that might have been ad-hoc or inconsistent. Even when our processes were well-designed and carefully tested , we still hadn't written most of them down. The SOC 2 audit forced us to take a hard look at all of our processes, from onboarding to data security, and make sure they were the right ones. We had to write down all our decisions and commit to them.
If that sounds like a lot of work for an early-stage startup — it is! So why did we do it so early?
Compaas shall remain a company that is secure by design. Clarifying and documenting our processes now means our products will always be security-centered and we’ll never try to tack on security as an afterthought. So, while we think we've got great experience building software and systems that way, an outside review confirms our approach and helps us identify the places we could get better. And by establishing processes early we get to build in good habits from the beginning rather than break bad habits.
That's it for now, but not for long. To stay SOC 2 Type 1 compliant, we now kick off periodic reviews of many of the processes we set down, such as a quarterly review of all access control to our systems, and annual review of our security training material. If you want to know more about our SOC 2 audit, or to review our report, reach out to firstname.lastname@example.org.