When data is the backbone of your business, your top priority is keeping that data safe. Firmex enacts this priority every day through our virtual data room technology. Our customers rely on us to provide a simple and secure data room for M&A, diligence, and litigation. They come to us knowing they can share documents with absolute confidence.
That assurance is now even stronger with our latest compliance report. We’re proud to announce we’ve recently completed a SOC 2 audit. It’s a seal of approval that confirms our data security practices are best in class! With this certification, Firmex customers can have confidence in the safety of their data.
A lot of thought and work go into SOC 2 compliance principles and audit procedures. Here’s why it matters — both for Firmex and for your organization.
What is a SOC 2 Audit?
The “SOC” in SOC 2 (pronounced like “sock two”) stands for “System and Organization Controls.” It’s a voluntary compliance standard developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 provides a framework and criteria to evaluate the internal controls an organization has in place to manage, control, and secure the data in its care.
Having SOC 2 attestation means that your organization has successfully conducted a globally recognized data compliance audit. Like any standardized exam, there’s an established procedure and a range of testing criteria. By undergoing a SOC 2 evaluation, organizations are putting their data security objectives and internal security controls under the microscope and having them vetted by data security professionals.
To achieve SOC 2 compliance, an organization engages a third-party accounting firm (one that’s licensed as a Certified Public Accountant, or CPA) to conduct a SOC 2 audit. During the audit, the firm checks whether the organization has the right policies, procedures, and controls in place to handle data effectively. In contrast to cybersecurity assessments that take a deep dive into technical details, SOC 2 security auditing focuses on data risk management across different parts of the operation.
Following the assessment, the third-party firm produces a comprehensive report — and issues the all-important result. Great news for Firmex and Firmex customers: With our SOC 2 report, we have an attestation recognized across North America and beyond.
What are Trust Services Criteria?
Like any school exam, it all comes down to the grading key. That’s what determines top marks, and it’s the same with the SOC 2 audit. SOC 2 was developed around a core set of “Trust Services Principles.” These principles break out into a range of criteria called “Trust Services Criteria” (TSC) that evaluators can use to guide their assessments. The mandatory TSC category for SOC 2 certification is security, where evaluators verify if data is safeguarded against unauthorized access, data loss, and damage. The security category forms the basis of every SOC 2 report, but organizations can choose to have additional categories evaluated for bonus attestations.
Firmex passed the security audit with flying colors to receive SOC 2 attestation, but then we went above and beyond to receive attestations for availability and confidentiality. Availability ensures systems are running smoothly and users have access to data when needed; confidentiality ensures information designated as sensitive and confidential stays that way – wherever it is in the system.
To get a gold star on the final SOC 2 report, organizations need to address controls in areas that are important for both the business and its customers. For many organizations, this includes information security, access control, vendor management, system backups, and disaster recovery.
When an organization hits the mark across its key areas, it’s a sign that data is secure and systems are robust.
Passing the Test — Year After Year
Within SOC 2 compliance, there are two types vendors can achieve: Type 1 and Type 2. Achieving SOC 2 Type 2 compliance is a lengthy process that often takes about a year to complete. Compared to Type 1, which evaluates one specific day, this certification is evaluated over a period of six months to a year. SOC 2 Type 1 also only assesses the design of security controls in place, not the operating effectiveness of those controls. In contrast, a Type 2 audit examines what the security controls are and how they function in practice. In order to achieve this, the auditor must gather evidence supporting the successful operation of the controls.
But after achieving compliance, organizations can’t rest on their laurels. Industry standards suggest that SOC 2 Type 2 compliance should be reassessed annually. As technology, procedures, and regulations change, so do risks. That means organizations with SOC 2 compliance need to keep reviewing their data processes to make sure they keep up with the times, reflect changing needs, and continue to pass muster.
Choosing a Vendor? Look for SOC 2 Attestation
As a virtual data room provider, we work hard to ensure our data security controls are evaluated and certified. Receiving the SOC 2 attestation exemplifies our commitment to security and privacy globally. At Firmex, we’ve undergone SOC 2 auditing since 2014, with a Type 1 attestation. In 2019, we upgraded to Type 2 and have maintained it since. When we say we’re committed, we mean it.
But SOC 2 doesn’t only concern businesses like ours. Knowing what it takes to achieve SOC 2 compliance — and choosing vendors that regularly complete SOC 2 audits — is essential for any organization.
SOC 2 compliance is an important consideration when browsing vendors. It demonstrates a vendor’s dedication towards safeguarding clients’ data. If a vendor is SOC 2 compliant, that’s a great start, but what type of attestation do they have? Is it Type 1, evaluated over a fixed time, or Type 2, evaluated over a long period of time? How long has the vendor been SOC 2 compliant? Does their history show consistent compliance?
Checking for these details and any exceptions in their SOC 2 report paints a clear picture of how effective their security controls are. Think of SOC 2 compliance as proof that a vendor delivers on the security they promise. You know you’re dealing with a trustworthy organization that will handle your data carefully.
With that assurance, there’s a spillover effect that benefits your business. When your vendors have the right data safeguards in place, you reduce your risk of data breach, data loss, and other compliance concerns. By working with companies with SOC 2, you’re strengthening your own information security, access management, and disaster recovery processes.
There’s already so much to consider in processes such as M&A, diligence, and litigation; having peace of mind in your data’s security allows you and your team to stay focused and efficient. When you work with SOC 2 compliant organizations, you know they’ve got your back on data protection.
To learn more about Firmex security policies and initiatives, visit our security page.