Today, we're proud to announce that StackShare is now SOC 2 compliant! This is a milestone achievement and helps us to continue to build trust with the StackShare community and enterprise customers. Achieving this standard serves as third-party industry validation that StackShare provides enterprise-level security for customer’s data. A SOC 2 Type II audit report demonstrates that StackShare manages user and customer data with the highest standard of security and compliance.
With the help of our partners SecureFrame and Prescient Assurance, we have achieved SOC 2 Type I and Type II compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18. In this post we'll outline what SOC 2 is and our process for attaining the certification.
SOC 2 Compliance
To obtain a SOC 2 report and meet the criteria for certification, an organization needs to undergo an audit by a third-party auditor- either a CPA or a firm certified by the American Institute of Certified Public Accountants (AICPA). They evaluate your security posture to determine if your policies, processes, and controls comply with SOC 2 requirements.
The foundation and main areas of focus for SOC 2 compliance are:
- Information security: How do you protect your data from unauthorized access and use?
- Logical and physical access controls: How does your company manage and restrict logical and physical access to prevent unauthorized use?
- System operations: How do you manage your system operations to detect and mitigate process deviations?
- Change management: How do you implement a controlled change management process and prevent unauthorized changes?
- Risk mitigation: How do you identify and mitigate risk for business disruptions and vendor services?
Additionally there are five Trust Services Criteria:
- Security - covers defenses against all forms of attack (2FA, firewalls, etc)
- Privacy - any information that’s considered sensitive because of its personal nature
- Confidentiality - information that to be useful, must be shared with other parties (e.g. health data)
- Processing Integrity - tests that systems used to store, process, and retrieve information work the way they’re supposed to
- Availability - minimizing downtime and processes in place to do that
Our process for attaining SOC 2 Compliance
SOC 2 compliance is a complex and incredibly thorough certificiation that requires quite a lot of oversight. So naturally, we looked for a software solution, and eventually landed on SecureFrame. SecureFrame provides automated security and compliance software that helps you streamline SOC 2 compliance (along with many other types of compliance).
We would not have been able to attain SOC 2 certification without SecureFrame. There are a few specific advantages their platform provided for us:
- Integrations with our core vendors (Google Cloud, GitHub, 1Password, Google Workspace, Gusto, Slack, Trello) - which helped us easily provide evidence of compliance and reduced the burden on us for data gathering
- Easy to use dashboard which gives us clear indications of which controls are failing and who owns what
- All data gathering by our auditor (Prescient Assurance) was automated
- Significantly sped up the creation of policies and recommending best practices
- Provided us with an easy to formulate risk management framework
Thank you again to both of our partners for helping us attain this certification. StackShare customers can request access to the audit report by emailing us here.