Trevor DeVore

By: Trevor DeVore on July 2nd, 2021

Print/Save as PDF

What is SOC 2 Compliance? What Does it Mean for Software Customers?

Keeping your data secure is your top priority. And rightly so.

While you’d like to keep that information safely stored in one place without providing access to external parties, the reality is that you need vendors to complete your day-to-day tasks.

One of those vendors you are considering is ScreenSteps, a knowledge base software that will help your employees create, store, and share your documentation across your company. The promise of fewer mistakes, quicker training, and a more searchable database is enticing, but how do you know your information is safe when stored in the ScreenSteps system?

Last year, I worked with our IT team to meet industry security standards. We spent countless hours learning about Service Organization Control 2 (SOC 2) requirements and updating our systems and policies in preparation for our SOC 2 audit. As CTO of ScreenSteps, it was important to me that our customers could trust our systems.

In March 2021, we completed our first SOC 2 audit with 360 Advanced and officially received our SOC 2 Type II attestation for Security, Availability, and Confidentiality — joining other companies who have met the high security standards.

So what is SOC 2 compliance? And what does it mean for ScreenSteps customers?

Below I explain what SOC 2 compliance is, the different types, what it means for software users, and why it matters to ScreenSteps customers.

What is SOC 2 compliance?

SOC 2 is a preparedness plan. It is an industry standard for security excellence often used in Software-as-a-Service (SaaS) companies.

Typically, the SOC 2 audit report is used to assure clients and prospective clients of SaaS companies that their information is secure and accessible. These regulations are in place so that if a SaaS provider were to have an issue with their technology it would not become your issue.

Essentially, if your vendor’s SaaS software were to go down at any point, your company would suffer. Either you wouldn’t be able to do your work or your information would be at risk.

Vendors are examined for different criteria. Using the Trust Services Criteria (TSC) — which was established by the American Institute of Certified Public Accountants (AICPA) — the SOC 2 audit tests on 5 criteria:

1. Security - Information and systems are secured to protect against unauthorized access or damage to the system that could impact a company’s objectives

2. Availability - Systems are accessible for operations

3. Processing integrity - System processing is “complete, valid, accurate, timely, and authorized"

4. Confidentiality - Any confidential information is protected

5. Privacy - Any personal information collected, used, or managed is secured

Companies are not required to undergo auditing for all of the points. They can choose which of the five they want their 3rd-party auditor to review. However, a security audit is required.

Software security

What do SOC 2 audits protect?

The SOC 2 audits prove that SaaS businesses are prepared to protect against failure of your information technology and a breach of their information security. Vendors are examined for how they would handle unexpected threats and risks.

Some of the potential threats that a SOC 2 audits include:

  • Server failure
  • Internet outages
  • Rogue IT employees

Type 1 vs. Type 2 compliance

There are two types of SOC audits. Each of these audits serves a different purpose and has different qualifications.

Type I

The purpose of a SOC 2 Type I audit is to understand the necessary security procedures. In this case, the companies write down their plans to show they have thought through how they would handle worst-case scenarios.

When vendors undergo a Type I audit, it is a self-administered audit. The vendor only needs to collect data for a day to test the security of its system.

Type II

A SOC 2 Type II audit is more in-depth. It verifies that companies can put their plan into action.

Not only does the audit prove your vendor understands the necessary security measures, but they prove they follow them. They do this by having the auditors watch their company over a period of time.

For Type II audits, the 3rd-party auditors collect data from the vendor over 3-12 months. During that time, they are examining the vendor’s behavior and how they would react to breaches and threats to their system.

How do you get SOC 2 Type II compliant?

In order to become SOC 2 Type II compliant, vendors need to find a 3rd-party auditor to audit their systems. This process can be grueling, but it holds each SaaS vendor accountable for the information they store and support.

The auditing part takes 3-12 months to complete. Then companies need to wait another month or two to receive the report attesting whether they are SOC 2 Type II compliant.

Why it's important for software providers to have SOC 2 compliance

In short, it will save you time as you search for a knowledge base.

If a vendor doesn’t have SOC 2 compliance or another certification to hold it to a security standard, then you would need to ask a lot more questions to ensure their security system is legitimate.

When a company is SOC 2 compliant, it means they are held to a certain standard, which covers most of the questions on a security questionnaire.

Since these audits are performed by an independent, 3rd-party auditor, it validates the security of the vendor’s software. It shows that the vendor can be trusted.

What does it mean for ScreenSteps customers?

ScreenSteps has always taken extra caution to take care of and protect our customers’ information. With ScreenSteps officially SOC 2 Type II certified, it validates the work ScreenSteps’ IT has put in to protect your data.

ScreenSteps has been audited for Security, Availability, and Confidentiality.

As a ScreenSteps customer, you can have extra confidence in the safety of your accounts. You can trust that ScreenSteps has met all the security requirements and standards to be listed amongst trustworthy SaaS companies.

Most importantly, you can rest assured that ScreenSteps is prepared to handle a variety of unexpected issues so that we can take care of your data.

Have more questions about ScreenSteps' security?

When it comes to your private information, there shouldn’t be any doubt that it is protected. That’s where SOC 2 compliance comes in.

SOC 2 compliance validates a company’s commitment to securing your data. ScreenSteps has met those standards to become SOC 2 Type II certified, and will constantly continue to improve security measures.

Still have security questions? Our consultants can help. Our consultants work with our IT team to answer all of your security questions so that you can feel confident that your information will be taken care of with ScreenSteps.

Talk to a Consultant