Security is our DNA – we are keeping to repeat it and have already proven it many times. When you ran a backup and data protection company, your number one priority is to hold products, customers, teams, and processes according to the world-highest security standards.
After SOC 2 Type I and ISO 27001 audits, we are excited and proud to announce that in May 2023 we completed the SOC 2 Type II report covering all principles of information security, which are: Security, Availability, Confidentiality, and Processing Integrity as well as all common COSO and information security criteria like e.g. Logical and Physical Access Controls, System Operations, Risk Mitigation, Change Management, and more.
The process of obtaining and complying with SOC 2 was a long journey for the entire team. Check out what we have learned along the way.
What is the SOC 2 Type II all about?
In short: SOC 2 is the best way to prove that customers’ data and its protection is your top priority.
Speaking officially, SOC stands for Service Organization Control. SOC 2 is a framework applicable to technology or SaaS companies that store customer data in the cloud. Developed by the American Institute of CPAs (AICPA), it defines criteria for managing customer data based on “trust service principles”.
However, controls and reports are unique to every business. Each company designs its own controls to comply with its Trust Services Criteria (TSC).
In practice, SOC 2 is an audit procedure that results in a report detailing how your service provider manages the data entrusted to it.
SOC 2 consists of two reports:
- Type 1 – describes the information security management system and assesses its adequacy in the context of the standard’s checkpoints.
- Type 2 – assesses whether the information security management system is actually functioning (describes evidence of the functioning of security measures for a specific period of time, at least 6 months).
Short reminder: GitProtect completed SOC 2 Type I audit in June 2022 and unlike other DevOps backup providers, it was checked in as many as 4 principles of information security!
Our journey to SOC 2 Type II
SOC 2 report is issued by outside auditors. For our part, we needed the right technology and IT infrastructure in place. We designed very rigorous security processes and trained each team member on the security posture and our top principles (and we made a permanent process out of it).
In order to determine the level of security of information processing in our company and meet the requirements of TSC SOC 2 Type II, the auditors have thoughtfully analyzed our documentation, conducted interviews with our team members, and analyzed websites but on top of that scanned, checked, observed and inspected our processes and infrastructure.
In fact, the official audit report that we are extremely proud of is just the beginning of the journey. We are committed and responsible for:
- Meeting all the services within the Identify Control Management System
- Identifying the risks that threaten the achievement of the control objectives and the service organization’s commitments
- Designing controls to mitigate those risks
- and more.
There is no finish line for us. We will constantly check and improve our security measures – it remains our #1 priority.
What does SOC 2 mean for our customers?
Again, in short – it means that our customers’ data and its protection are our top priority. And it’s not just words – it’s an officially documented and audited pledge!
Our security posture is proven by world-class security standards such as SOC 2 Type I, ISO 27001, and now also SOC 2 Type II. In accordance with them, we select our technologies, create processes and establish technology partnerships.
Want to go further? Check our Security & Compliance use case.
SOC 2 Type 2 compliant vendor for your SOC 2 journey
What’s more, we help our customers go through a similar path – if you are in the process of SOC 2 certification, it is worth considering solutions that work in accordance with these standards and will help you in your own journey.
We use Jira, and git hosting services ourselves, so we know how crucial this data is – not only for security audits and certifications. For every technology-related company source code, as Intellectual Property, repositories, and metadata as well as Jira data are the key. Data loss or even short-term loss of access to the service might cost a fortune.
On your own SOC 2 certification journey, you’d better not forget to design and implement backup and data protection best practices for your DevOps data. And remember – We have got your back(up)!