SOC 2 is a security standard written by the American Institute of Certified Public Accountants (AICPA).
Overview: SOC 2 compliance guide for startup
In depth: The Ultimate Guide to SOC 2 Compliance
Expect to spend $30-$50 CAD first year getting started.
- 1-3 Months prep
- 1-2 Months Report Prep after Audit/Observation Period
- Pick a point in time
- 3 month observation period possible first year
- 6 months observation period
"In a SOC 2 Type 1 audit, a startup defines its best practices. Type 1 essentially presents a snapshot of security controls at a certain point in time. It collects evidence that shows the security controls that have been put in place and how the company is fulfilling them."
"In a SOC 2 Type 2 audit, a startup produces a sample set of evidence that proves its security controls have been followed over time. Type 2 is a six-month to a year longitudinal audit that evaluates the constancy of controls through the lens of security."
What parts of the company will be SOC 2 compliant? Maybe exclude your marketing efforts.
✅ We used them.
Audit Prep: Vanta ✅
- Certn ✅
- Vanta integration
- 1Password ✅
- $12 CAD/month/user paid monthly
- Need to go with the Business (not teams plan) in order to get access to the team wide password/security tools we needed
- Use 1password.ca for data storage in Canada 🇨🇦
- LastPass
- Vanta ✅
- Blissfully
- GSuite ✅
- Vanta integration
- Okta
- OneLogin
- HackerOne
- Cobalt
- BSK Security ✅
- Detectify ✅
- sqreen
- Barr Advisory ✅
- Vanta Referral
- Terraform ✅
- AWS ✅
- Vanta integration
- Heroku
- Vanta integration
- Use Database Standard-0 at least for encryption at rest. $50/m USD
- Use [Papertrail]https://elements.heroku.com/addons/papertrail) Fixa plan for 365 day log retention. $8/m USD
- Google Cloud
- Google Aunthenticator App ✅
- Yubico Key
- Cybrary ✅
- Recommended by Vanta
- Free if self registered
Scanning packages and dependencies for vulnerabilities.
- GitHub Security (Dependabot) ✅
- Ruby Advisory Database via Bundler Audit gem ✅
- Vanta ✅
- Yarn Audit ✅
- NPM Audit via audit-ci package ✅
- Snyk ✅
- Trivy ✅
- AWS ECR Container Scanning ✅
Review Password Requirements of Vendors
- Migrating from Public & Private Heroku spaces -> AWS
- Worked with contractors to accelerate migration to disrupt internal focuses and roadmap as little as possible
- Has SOC2 for Workspaces & Cloud Platform
- Self service download page
- https://cloud.google.com/security/compliance/compliance-reports-manager
- Email support request, sent report without a problem
- https://www.freshworks.com/security/resources/
- NDA Required
- https://help.heroku.com/FEOHRZ1H/compliance-certifications-pci-dss-soc1-soc2-soc3-iso27001-iso27017-iso27019
- Support Ticket Based
- https://help.heroku.com/new/compliance-doc-request
- Requires an NDA
- https://slack.com/intl/en-ca/security
- SOC 3 Download self service available
- https://aws.amazon.com/compliance/soc-faqs/
- Self Service via AWS Artifact
- SOC 2 self service available, NDA required
- AWS SOC 3 Security, Availability & Confidentiality Report, publicly available as a whitepaper.
- AWS SOC 2 Security, Availability & Confidentiality Report, available to AWS customers from AWS Artifact.
- https://certn.zendesk.com/hc/en-us/categories/360004285913-Security
- SOC 2 in progress https://certn.zendesk.com/hc/en-us/articles/360051928713-Are-3rd-party-audits-conducted-on-the-supplier-s-security-practices-SOC-1-SOC2-SOC3-SSAE-16-CSAE-3416-or-other-at-least-annually-
- https://mailchimp.com/about/security/soc-request/
- Submit a support ticket
- NDA Required
- https://cloudconvert.com/privacy
- Privacy Policy, GDPR Compliant
- https://www.twilio.com/security
- Has comprehensive list of certification - including SOC 2 - available upon request
- Submit a support ticket https://support.twilio.com/hc/en-us
- NDA Required
- https://github.com/security
- SOC 3 report available for Enterprise Cloud
- https://www.cloudflare.com/en-ca/trust-hub/compliance-resources/
- Login -> Account -> Support Tab -> Compliance Documents
- Has SOC 2 for self service download
- https://wistia.com/support/account-and-billing/security
- Do not appear to have any certifications at this time