Data is an increasingly valuable commodity, and, as a result, the measures that organizations take to keep their customer data secure continue to be placed under increasing scrutiny.
And rightly so — at RemotePass we have the strongly held belief that our clients’ data should be handled with the utmost care and diligence. It is for this reason that we decided to embrace an industry standard, voluntary data protection audit called Systems and Organization Controls 2, or SOC2 for short.
In this article, we’ll dive into what SOC2 compliance is, what it means for us at RemotePass, and what measures we’ll be taking in the future to guarantee that our approach to data handling remains as secure as possible.
What is SOC2 compliance?
SOC2 is a voluntary compliance standard that was developed by the American Institute of CPAs (AICPA) which evaluates how organizations handle customer data.
In order to achieve SOC2 compliance, organizations must agree to rigorous inspections by independent auditors, who evaluate the organization against a range of criteria, which they call ‘trust service principles’. These include:
- Privacy
In the context of SOC2 compliance, privacy refers to the way that a system collects, uses, retains, discloses, and disposes of personal information, in line with privacy policies, as well as the AICPA’s ‘generally accepted privacy principles’ (GAPP). Necessary controls must be in place to protect personal identifiable information (PII) from any unauthorized access.
- Security
Security refers to the way that an organization protects system resources from unauthorized access. Robust access controls need to be in place to prevent unauthorized access, abuse, theft, or removal of data, as well as the improper disclosure of information, or its alteration. This trust service principle looks for the implementation of systems such as firewalls, two-factor authentication, and intrusion detection — all of which reduce the risk of breaches significantly.
- Confidentiality
Confidential information is that for which access is restricted to specific individuals or groups, such as intellectual property or pricing information, for example. Under this trust service principle, an SOC2 audit will examine whether encryption is in place for the transmission of confidential information, whether application firewalls exist, and whether access controls are available — all of which safeguards data that’s being processed or stored.
- Processing Integrity
A SOC2 audit also considers the integrity of the processes involved in data management, to identify whether they achieve their intended purposes, delivering the right data at the right time. This does not evaluate the integrity of the data itself, but the way the data is processed.
- Availability
Under the ‘availability’ trust principle, an SOC2 audit reviews the accessibility of the system, as laid out in service level agreements (SLAs) or contracts. This doesn’t look at functionality, but instead explores security-related aspects that might affect the availability of data.
Why is SOC2 important?
For SaaS companies, SOC2 isn’t a requirement, but instead is a voluntary measure that can be taken in order to guarantee the security of an organization’s approach to data management.
The importance of taking these measures cannot be overstated — after all, breaches are costly for everyone involved — and therefore customers should be diligent in choosing providers who take data security seriously. SOC2 is one such mark of confidence that SaaS buyers can rely on. SOC2 adds an additional layer of diligence — and therefore confidence — to already-robust data management processes.
SOC2: Compliant Onboarding and Payroll With RemotePass
RemotePass collaborated with the independent cybersecurity and compliance audit organization Kompleye who completed a thorough examination, including:
- Understanding of RemotePass scope of services, commitments and system requirements.
- Detailed system description and assessment of the company's controls efficiency and design.
- Optimization of operating procedures to ensure the highest level of data privacy and security.
- Performing procedures and evidence collection
RemotePass is officially SOC2 Type 1 certified as of 30 September 2022.
What SOC2 means to RemotePass
As an international organization, serving thousands of remote workers around the world, data and security compliance is a central topic. As a fully-remote team, we had to conceive our tech infrastructure accordingly and imagine a workflow that grants the highest standard of access to data and security protection to all our users.
We understand that data management is not a static process, and therefore no single audit can be good for life. RemotePass is committed to undergo a yearly SOC 2 audit to ensure the compliance is continuously improved and up to date.
We highly encourage SAAS companies to go for a SOC2 audit, it truly can transform your internal practices and consequently reassure your prospects and clients that their data is securely protected.
Need help onboarding, hiring, and paying global teams?
Try RemotePassTry RemotePassData is an increasingly valuable commodity, and, as a result, the measures that organizations take to keep their customer data secure continue to be placed under increasing scrutiny.
And rightly so — at RemotePass we have the strongly held belief that our clients’ data should be handled with the utmost care and diligence. It is for this reason that we decided to embrace an industry standard, voluntary data protection audit called Systems and Organization Controls 2, or SOC2 for short.
In this article, we’ll dive into what SOC2 compliance is, what it means for us at RemotePass, and what measures we’ll be taking in the future to guarantee that our approach to data handling remains as secure as possible.
What is SOC2 compliance?
SOC2 is a voluntary compliance standard that was developed by the American Institute of CPAs (AICPA) which evaluates how organizations handle customer data.
In order to achieve SOC2 compliance, organizations must agree to rigorous inspections by independent auditors, who evaluate the organization against a range of criteria, which they call ‘trust service principles’. These include:
- Privacy
In the context of SOC2 compliance, privacy refers to the way that a system collects, uses, retains, discloses, and disposes of personal information, in line with privacy policies, as well as the AICPA’s ‘generally accepted privacy principles’ (GAPP). Necessary controls must be in place to protect personal identifiable information (PII) from any unauthorized access.
- Security
Security refers to the way that an organization protects system resources from unauthorized access. Robust access controls need to be in place to prevent unauthorized access, abuse, theft, or removal of data, as well as the improper disclosure of information, or its alteration. This trust service principle looks for the implementation of systems such as firewalls, two-factor authentication, and intrusion detection — all of which reduce the risk of breaches significantly.
- Confidentiality
Confidential information is that for which access is restricted to specific individuals or groups, such as intellectual property or pricing information, for example. Under this trust service principle, an SOC2 audit will examine whether encryption is in place for the transmission of confidential information, whether application firewalls exist, and whether access controls are available — all of which safeguards data that’s being processed or stored.
- Processing Integrity
A SOC2 audit also considers the integrity of the processes involved in data management, to identify whether they achieve their intended purposes, delivering the right data at the right time. This does not evaluate the integrity of the data itself, but the way the data is processed.
- Availability
Under the ‘availability’ trust principle, an SOC2 audit reviews the accessibility of the system, as laid out in service level agreements (SLAs) or contracts. This doesn’t look at functionality, but instead explores security-related aspects that might affect the availability of data.
Why is SOC2 important?
For SaaS companies, SOC2 isn’t a requirement, but instead is a voluntary measure that can be taken in order to guarantee the security of an organization’s approach to data management.
The importance of taking these measures cannot be overstated — after all, breaches are costly for everyone involved — and therefore customers should be diligent in choosing providers who take data security seriously. SOC2 is one such mark of confidence that SaaS buyers can rely on. SOC2 adds an additional layer of diligence — and therefore confidence — to already-robust data management processes.
SOC2: Compliant Onboarding and Payroll With RemotePass
RemotePass collaborated with the independent cybersecurity and compliance audit organization Kompleye who completed a thorough examination, including:
- Understanding of RemotePass scope of services, commitments and system requirements.
- Detailed system description and assessment of the company's controls efficiency and design.
- Optimization of operating procedures to ensure the highest level of data privacy and security.
- Performing procedures and evidence collection
RemotePass is officially SOC2 Type 1 certified as of 30 September 2022.
What SOC2 means to RemotePass
As an international organization, serving thousands of remote workers around the world, data and security compliance is a central topic. As a fully-remote team, we had to conceive our tech infrastructure accordingly and imagine a workflow that grants the highest standard of access to data and security protection to all our users.
We understand that data management is not a static process, and therefore no single audit can be good for life. RemotePass is committed to undergo a yearly SOC 2 audit to ensure the compliance is continuously improved and up to date.
We highly encourage SAAS companies to go for a SOC2 audit, it truly can transform your internal practices and consequently reassure your prospects and clients that their data is securely protected.
.svg){kind=logo}
.svg)
.svg)
