5 min read

SOC2: The good, the bad, the ugly, the compliant

Sarah Wheeler
Sarah Wheeler
Updated on
October 17, 2023

Privacy isn’t a term we use lightly at Kevel: it’s part of our core infrastructure and ethos of our company. From our values and mission statement to the makeup of our technology, privacy and security is the cornerstone of our decision making, product development, and company culture itself. 

To us, this meant SOC2 compliance was an obvious step towards our mission of “making the Internet a better place.” We wanted to share a little more about what that looks like and really means at a macro level, along with what it’s looked like at Kevel specifically. 

Big picture: What is SOC2?

SOC 2, or System and Organization Controls 2, is a voluntary standard developed by the American Institute of Certified Public Accountants (AICPA) that provides a framework for auditing and reporting on a service organization's security, availability, processing integrity, confidentiality, and privacy. 

SOC 2 compliance is becoming increasingly important as more and more organizations move their data to the cloud. By obtaining a SOC 2 report, an organization can demonstrate to its customers, investors, and other stakeholders that it has implemented appropriate controls to protect their data. There are five main principles that make up the SOC 2 report (AICPA's Trust Services Criteria,) which define how an organization should manage customer data:

  • Security: The organization has implemented security controls to protect data from unauthorized access, use, disclosure, disruption, modification, or destruction.

  • Availability: The organization has implemented availability controls to ensure that data is available when needed.

  • Processing integrity: The organization has implemented processing integrity controls to ensure that data is processed accurately and completely.

  • Confidentiality: The organization has implemented confidentiality controls to protect data from unauthorized disclosure.

  • Privacy: The organization has implemented privacy controls to protect data in accordance with applicable laws and regulations.

SOC 2 reports come in two varieties: Type 1 and Type 2.  A Type 1 report provides assurance on the design of the organization's controls and effectiveness at a single point in time, while a Type 2 report provides assurance on both the design and operating effectiveness of the organization's controls on an ongoing basis.

Obtaining a SOC 2 attestation report means that Kevel can assure our customers, investors, and other stakeholders that we have implemented appropriate controls to protect their data. 

SOC 2 is sounding familiar…didn’t Kevel do this already?

You might be thinking of when we obtained our SOC 1 type 2 certification! This type of audit is focused on internal controls and financial reporting, and it reports controls over the course of a year. 

Why did we do SOC2?

By following the SOC 2 framework and performing annual third party audits, Kevel can demonstrate to its leadership, customers, and partners that we are committed to data security. This commitment will help to reduce the risk of data breaches, build customer trust, and improve our overall security posture. 

One of our main philosophies at Kevel is that your end users should feel confident that their data is safe in your hands, which means that you need to have that confidence in us as well. SOC 2 is a big step in solidifying that security. 

Let’s be clear: SOC 2 compliance wasn’t easy

The process of becoming SOC 2 compliant for Kevel may seem like 8 simple steps:

  1. Choose the type of SOC 2 report we want to obtain (Type 1 or Type 2).
  2. Identify which TSCs (Trust Service Criteria) were relevant to Kevel (Security and Confidentiality)
  3. Conduct a gap analysis to determine if our then-current controls met the TSCs.
  4. Implement additional organizational controls where gaps in the TSCs were identified..
  5. Choose an external auditing firm.
  6. Provide the auditor access to our organization's documentation (policies, procedures, evidence, etc).
  7. The auditing firm will complete an audit of our organizational controls. This includes interviews with staff, testing of controls, and reviewing our documentation and other evidence.
  8. After the audit has been completed, a SOC 2 report will be issued.

However, within each of these steps, there was significant cross-team collaboration that occurred to achieve each milestone. 

The first step to achieving compliance under any framework is to understand the relevant controls and where our internal practices were falling short. This was a multi-departmental effort requiring input from various individuals on internal teams dedicating their time to preparing for the audit. 

From there, we were able to identify what actions were needed for us to align ourselves with the SOC 2 requirements. We then drafted new documentation, created new policies and procedures, and updated existing policies and procedures to reflect the process improvements we were undertaking. By utilizing a compliance management system called Drata, we were able to run continuous tests of our controls and ensure that the improvements we were implementing were being adhered to. 

The SOC 2 audit has reaffirmed that at Kevel:

Data security remains our top priority. We have implemented a number of new controls to protect our data, and we are committed to continuously improving our security posture.

Communication is key. We have learned the importance of communicating with our customers, partners, and other stakeholders about our data security efforts.

We are stronger together. We have learned that we can achieve more by working together as a team.

We are all responsible for data security. We all have a role to play in protecting our data.

It is important to be aware of the latest threats. We need to stay up-to-date on the latest cyber threats so that we can take steps to protect ourselves.

We are proactive in our approach to security. We cannot wait for something to happen before we take action.

We are creative in our solutions. There is no one-size-fits-all approach to security. We need to be creative in our solutions to address the specific challenges that we face.

We are open to feedback. We need to be open to feedback from our customers, partners, and other stakeholders so that we can continuously improve our security posture.

This is an important step forward for Kevel. 

The SOC 2 audit is rigorous and keeps us in accordance with the American Institute of Certified Public Accountant standards. Our level of enterprise-level security is certified through this process. We are proud to have completed this work, and are excited to share this with our customers. Data security remains our priority, and our SOC 2 audit shows that our tech backs up this key value of our company.

All ad tech in your inbox

Subscribe to our newsletter to stay up to date with the latest news.