Announcing SOC 2 Type II compliance

2 years ago
Written by
Fouad Matin
@fouadmatin
Dan Gillespie
@ethernetdan

We're incredibly excited to share that Indent has achieved our SOC 2 Type II certification.

Since we wanted a rigorous evaluation, we selected Moss Adams as our auditor and chose a full twelve month audit period instead of the more common three months. The Trust Services Criteria we certified were security, availability, and confidentiality.

Why did we decide to become SOC 2 compliant?

Starting out, compliance isn’t exactly one of the highest priorities on the path to product-market fit. There are certain categories of products that require compliance from day one, like healthcare (HIPAA) or finance (PCI / FINRA) — it's not just nice-to-have, it's a launch requirement. What about for everyone else?

In B2B software, there is a lot of data that needs to be protected. The data is stored in databases, business systems and sometimes shared with other vendors.

The purpose of SOC 2 compliance is to ensure that the data is protected and handled in a manner that is consistent with the company’s business needs.

Since a lot of our customers are pursuing SOC 2 as part of the reason for shifting to an on-demand access model, we decided to become compliant ourselves.

This was a great opportunity to build our customers' confidence in our operations and develop a deeper empathy for the workflows we're designing.

What is SOC 2?

Service Organization Control (SOC) 2 is a report generated by an independent auditor that attests to a company’s safe customer data handling practices. Companies work with their auditor to choose which Trust Services Criteria (TSC) to certify based on multiple factors.

SOC 2 reports can include up to five categories:

  • Security: these are common criteria required for any SOC 2 report
  • Availability: ensures customers have consistent access to the product
  • Processing Integrity: protects data from corruption and manipulation
  • Confidentiality: regulates how customer data should be stored, accessed, and shared
  • Privacy: verifies the means of customer data collection and use

After TSC selection, a company defines controls around those criteria and determines the evidence to prove the effectiveness of those controls. The SOC 2 audit can then be kicked off. There are two stages of reports:

  • SOC 2 Type I tests how the controls would operate on a given day
  • SOC 2 Type II analyzes the effectiveness of controls over several months

What was SOC 2 Type I like?

One of the most challenging parts of going through your first SOC 2 audit is you don’t know what you don’t know. For example, which types of vendors auditors care about vs the ones they don’t (in-scope vs out-of-scope) and which vendors you need to be on the enterprise plan for in order to get single sign-on.

There are a lot of specific operational processes that are required to get your SOC 2. Because of this we would strongly recommend partnering with a compliance vendor. They’ve seen it all and can make the process a lot easier — we worked with Secureframe.

What was SOC 2 Type II like?

After SOC 2 Type I certification, you’re not out of the woods. You have to continue maintaining the controls and enforcing policies put in place for certification.

We’ve found that common frustrations post certification include:

  • Reduced velocity due to increased access wait times
  • Time consuming manual access reviews every quarter
  • Inconsistent onboarding and offboarding processes leads to later findings

The key to tackling these challenges is automation.

Access control automation reduces wait times by ensuring requests are routed to the correct person. This can be done through a channel like Slack, reducing the loss of productivity associated with context switching and needing to log into a web portal.

Time-bound access eliminates unnecessary persistent access by automating revocation after a set period of time, making access reviews faster and ensures offboarded employees don’t retain access. While automating day one access ensures that new employees have access to only the resources they need.

How does Indent help with SOC 2?

Indent automates the manual processes associated with managing and documenting access. Put another way, Indent automates change management for your access control.

With the Indent Platform you can have:

  • On-demand production access: Secure production with least privilege access model that facilitates time-bound access based on immediate need. Access requests are routed to approvers based on predefined policies, ensuring compliance. Approvers can grant and set the access duration via Slack, expediting access for the requester.
  • On-call auto approvals: Adjust privileges based on change of responsibilities related to on-call status. On-call status triggers a bot to grant the necessary access, ensuring compliance principals are maintained while the access is logged for later review.
  • On-demand admin access: Secure Okta with least privilege access model that grants admins time-bound access based on immediate need. Admins are able to get access quickly when they need it, without needing to continually maintain their elevated privileges, keeping the organization’s most sensitive systems secure.
  • Uniform day one access: Grant access to new internal and external users based on roles and responsibilities. Protect against privilege creep and make sure that new users have access to the necessities for their role, while being able to request additional access on-demand.
  • Automated audit evidence collection: Automates your evidence collection by storing all access related data in immutable logs. They can then be easily exported with a single click and shared with your auditor.

We used the Indent Platform during our own SOC 2 Type II audit and were gratified by the response from our auditor at Moss Adams. Our customers’ auditors have also been pleased with the format of the audit evidence.

For example, PlanetScale made sure we knew that their auditor loved the logs and audit reports from Indent. Life after SOC 2 has also been improved for admins at PlanetScale through their use of the Indent Platform.

PlanetScale has seen an 80% reduction in their IT workload, allowing them to focus on projects that more directly impact revenue. You can learn more about how Indent has helped them by checking out their case study.

If you're considering pursuing SOC 2 compliance or are already compliant but finding it hard for people to get access quickly, we'd love to help! Feel free to request a demo with our team and we're happy to help you get started.

Try Indent for free.