Jan 05, 2023 by Team HiddenApp
We’re SOC 2 Type 1 certified!
We’re SOC 2 Type 1 certified!
We’re thrilled to announce that HiddenApp is now SOC 2 Type I certified!
We’re thrilled to announce that HiddenApp is now SOC2 certified! SOC 2 is one of the most reputable and rigorous industry standards in data security. It’s a tough regime - but we did it. Our systems and protocols have been independently audited by auditors verified by awarding body AICPA, and passed with flying colors.
What’s SOC 2?
Service Organization Control 2 - known as SOC 2 - is an auditing procedure designed to make sure that companies like us (known as ‘service organizations’) are able to manage the data and privacy of their customers to very high standards of security. It’s totally voluntary and it’s awarded by the American Institute of Certified Public Accountants (AICPA) after a rigorous testing process and independent audit. Although it’s predominantly a US-based recognition, SOC-2 has lots of crossover with international information security standard ISO 27001.
Why we went for SOC 2
We’ve always taken customer privacy and security extremely seriously, so we’ve always made sure that our systems and processes are as best practice as possible. We made the decision to work towards SOC 2 because we know that trust isn’t given - it’s earned. We wanted to demonstrate our commitment to our customers’ security in a very public way.
But we’re also passionate about continual improvement, and we know that it’s dangerous to make the assumption that any system is pretty much bulletproof. It’s too easy to get complacent with a system if it’s never gone wrong, so we welcomed the input of our SOC 2 advisors and auditors to find any gaps and improve what we have.
SOC 2: It’s all about keeping data secure
SOC 2 is based on five elements - called trust service criteria - that encompass different expectations of a strong security environment. These criteria are:
This demands minimum accessibility and performance levels of our systems and of our services for our clients. We’ve numerous tools and fail-safes that ensure our services are available to our clients, and we have robust disaster recovery plans in place.
This criterion addresses who can access data on our systems. We take a multi-level approach to confidentiality, through things like data encryption and the principle of least privilege.
This addresses whether our system achieves its purpose for us and for our clients - that it’s free of errors and does what it needs to do at the time it needs to do it.
This addresses how we collect, use, disclose and dispose of personal information. We approach this through robust and transparent privacy practices that show clearly how we handle data.
This is an overarching criterion, as it addresses how data and information systems are protected against unauthorized access or use, in order to ensure that none of the other criteria are compromised. Our approach includes tools across our entire IT ecosystem that maintain data security, including access control such as two factor authentication, restricted encryption keys, 24/7 monitoring, network and application firewalls, intrusion detection and mobile device management.
We aimed for Type 1 certification, which is a point-in-time snapshot of the controls that demonstrate how our systems and services properly address all the criteria. It was quite a journey!
Once we made the decision to go for SOC 2 Type 1, we didn’t go it alone. We enlisted the support of a cybersecurity compliance adviser, not just for their expertise, but because we believe an independent perspective is invaluable when we’re looking at our own systems. With the help of our adviser, we:
- Mapped our system: We formally mapped out all the data controls, policies and security systems we already had in place into a framework.
- Mapped to the criteria: We compared our systems and processes to the requirements of the trust criteria.
- Identified strengths and gaps: We assessed the areas that were strong, and highlighted areas that needed development or improvement.
- Control implementation and testing: We deployed and monitored the improvements and tested them out.
This didn’t happen overnight - it took quite a few months of hard work but the result was satisfying. Once we’d implemented the improvements, it was audit time! We welcomed the independent auditor, who was AICPA-licensed to carry out the audit. The process wasn’t without tension. Had we missed something? We were delighted when our auditor told us that we had all the controls in place to satisfy the trust criteria.
Of course, SOC 2 success isn’t a once-only audit. To maintain SOC 2 accreditation, we’ll continually work on our systems and will be audited annually, to make sure we maintain the highest levels of security.
What we learned
Working towards SOC 2 accreditation taught us some valuable lessons:
1. Don’t get comfy. When things never go wrong, it’s too easy to get complacent. Because we’d never had a failure or a data breach, we were confident our systems were pretty bulletproof. Our adviser proved us wrong by identifying some weak spots.
2. There’s always something to learn. It was exciting to discover new approaches to data security.
3. Good teamwork is everything: We’ve always worked well as a team but this project brought out the best in everyone.
4. Things always take longer than you expect. The story of every project that ever was.
We’re committed to transparency so, if you’d like to find out more about what we do to keep our customers secure, you’re more than welcome to check out our security controls page, where you can download and read our SOC 2 Type 1 report.