We're incredibly excited to share that Indent has achieved our SOC 2 Type II certification.
Since we wanted a rigorous evaluation, we selected Moss Adams as our auditor and chose a full twelve month audit period instead of the more common three months. The Trust Services Criteria we certified were security, availability, and confidentiality.
Starting out, compliance isn’t exactly one of the highest priorities on the path to product-market fit. There are certain categories of products that require compliance from day one, like healthcare (HIPAA) or finance (PCI / FINRA) — it's not just nice-to-have, it's a launch requirement. What about for everyone else?
In B2B software, there is a lot of data that needs to be protected. The data is stored in databases, business systems and sometimes shared with other vendors.
The purpose of SOC 2 compliance is to ensure that the data is protected and handled in a manner that is consistent with the company’s business needs.
Since a lot of our customers are pursuing SOC 2 as part of the reason for shifting to an on-demand access model, we decided to become compliant ourselves.
This was a great opportunity to build our customers' confidence in our operations and develop a deeper empathy for the workflows we're designing.
Service Organization Control (SOC) 2 is a report generated by an independent auditor that attests to a company’s safe customer data handling practices. Companies work with their auditor to choose which Trust Services Criteria (TSC) to certify based on multiple factors.
SOC 2 reports can include up to five categories:
After TSC selection, a company defines controls around those criteria and determines the evidence to prove the effectiveness of those controls. The SOC 2 audit can then be kicked off. There are two stages of reports:
One of the most challenging parts of going through your first SOC 2 audit is you don’t know what you don’t know. For example, which types of vendors auditors care about vs the ones they don’t (in-scope vs out-of-scope) and which vendors you need to be on the enterprise plan for in order to get single sign-on.
There are a lot of specific operational processes that are required to get your SOC 2. Because of this we would strongly recommend partnering with a compliance vendor. They’ve seen it all and can make the process a lot easier — we worked with Secureframe.
After SOC 2 Type I certification, you’re not out of the woods. You have to continue maintaining the controls and enforcing policies put in place for certification.
We’ve found that common frustrations post certification include:
The key to tackling these challenges is automation.
Access control automation reduces wait times by ensuring requests are routed to the correct person. This can be done through a channel like Slack, reducing the loss of productivity associated with context switching and needing to log into a web portal.
Time-bound access eliminates unnecessary persistent access by automating revocation after a set period of time, making access reviews faster and ensures offboarded employees don’t retain access. While automating day one access ensures that new employees have access to only the resources they need.
Indent automates the manual processes associated with managing and documenting access. Put another way, Indent automates change management for your access control.
With the Indent Platform you can have:
We used the Indent Platform during our own SOC 2 Type II audit and were gratified by the response from our auditor at Moss Adams. Our customers’ auditors have also been pleased with the format of the audit evidence.
For example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.
PlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out their case study.
If you're considering pursuing SOC 2 compliance or are already compliant but finding it hard for people to get access quickly, we'd love to help! Feel free to request a demo with our team and we're happy to help you get started.