I was recently asked, “Brit, why would an early stage company go through this process?”
The answer is simple: Our customers.
Working with large and enterprise companies, It is important that we create a culture of security from the start which will ensure we operate with the highest standards moving forward.
This whole process, admittedly, was foreign to me. As a first time founder, I often operate in unfamiliar environments and while I am no SOC 2, Type II expert I am proud of what I learned and hope this blog removes the intimidation factor for anyone exploring this certification for their own business.
What is a SOC 2 report?
By definition, System and Organization Control, usually referred to as “SOC 2” is a voluntary compliance standard for service organizations which frames how businesses should manage customer data. Our SOC 2 audit did a deep dive into our security, privacy, confidentiality controls, availability and processing integrity over the course of several months.
How are Type I and Type II different?
WAIT…There are two types of SOC 2 reports?! Yes. As if security audits weren’t complex enough…I managed to boil it down to the following:
Type I is what I call “The Polaroid” report. A Type I report shows that your organization understands necessary security procedures and were compliant within those measures at the moment in time the auditor reviewed your systems. This data is reflective of a moment in time, a snapshot, hence the polaroid reference.
Type II can be considered “The Film” report. A Type II report shows that your organization understands necessary security procedures and is compliant within those measures over a designated period of time. Similar to a film which tells a story over time, the Type II report confirms an organization understands the necessary security measures and consistently adheres to them.
How do you know what one to choose?
Great question. I can’t answer this one for you but I’d start here.
Revisit why you started this process in the first place –is it time sensitive in order to close a deal? Was it an action item you’ve had on your to-do list and now have time (what a dream!) to check it off? Do you plan on selling to Enterprise companies?
Our mission is to make work easier and teams more productive everyday. The FlowEQ team decided it was important to prove to the people we do business with, a polaroid simply wouldn’t cut it. We take security measures seriously and similar to our mission, we prioritize this everyday and that is why we chose SOC 2 Type II.
Okay, maybe I am a SOC 2 Type II expert now…
Only kidding! The Johanson Group provided individualized attention during the discovery phase answering all of my questions uniquely tied to FlowEQ. Truthfully, you don’t have to navigate this alone, Vanta was able to streamline the process and automated the collection of up to 90% of the evidence we needed to prove compliance. My team dedicated countless hours toward this effort–Andrew Wilkinson and Nick Wehner–Thank you! Thank you! Thank you!