Privacy isn’t a term we use lightly at Kevel: it’s part of our core infrastructure and ethos of our company. From our values and mission statement to the makeup of our technology, privacy and security is the cornerstone of our decision making, product development, and company culture itself.
To us, this meant SOC2 compliance was an obvious step towards our mission of “making the Internet a better place.” We wanted to share a little more about what that looks like and really means at a macro level, along with what it’s looked like at Kevel specifically.
SOC 2, or System and Organization Controls 2, is a voluntary standard developed by the American Institute of Certified Public Accountants (AICPA) that provides a framework for auditing and reporting on a service organization's security, availability, processing integrity, confidentiality, and privacy.
SOC 2 compliance is becoming increasingly important as more and more organizations move their data to the cloud. By obtaining a SOC 2 report, an organization can demonstrate to its customers, investors, and other stakeholders that it has implemented appropriate controls to protect their data. There are five main principles that make up the SOC 2 report (AICPA's Trust Services Criteria,) which define how an organization should manage customer data:
SOC 2 reports come in two varieties: Type 1 and Type 2. A Type 1 report provides assurance on the design of the organization's controls and effectiveness at a single point in time, while a Type 2 report provides assurance on both the design and operating effectiveness of the organization's controls on an ongoing basis.
Obtaining a SOC 2 attestation report means that Kevel can assure our customers, investors, and other stakeholders that we have implemented appropriate controls to protect their data.
You might be thinking of when we obtained our SOC 1 type 2 certification! This type of audit is focused on internal controls and financial reporting, and it reports controls over the course of a year.
By following the SOC 2 framework and performing annual third party audits, Kevel can demonstrate to its leadership, customers, and partners that we are committed to data security. This commitment will help to reduce the risk of data breaches, build customer trust, and improve our overall security posture.
One of our main philosophies at Kevel is that your end users should feel confident that their data is safe in your hands, which means that you need to have that confidence in us as well. SOC 2 is a big step in solidifying that security.
The process of becoming SOC 2 compliant for Kevel may seem like 8 simple steps:
However, within each of these steps, there was significant cross-team collaboration that occurred to achieve each milestone.
The first step to achieving compliance under any framework is to understand the relevant controls and where our internal practices were falling short. This was a multi-departmental effort requiring input from various individuals on internal teams dedicating their time to preparing for the audit.
From there, we were able to identify what actions were needed for us to align ourselves with the SOC 2 requirements. We then drafted new documentation, created new policies and procedures, and updated existing policies and procedures to reflect the process improvements we were undertaking. By utilizing a compliance management system called Drata, we were able to run continuous tests of our controls and ensure that the improvements we were implementing were being adhered to.
Data security remains our top priority. We have implemented a number of new controls to protect our data, and we are committed to continuously improving our security posture.
Communication is key. We have learned the importance of communicating with our customers, partners, and other stakeholders about our data security efforts.
We are stronger together. We have learned that we can achieve more by working together as a team.
We are all responsible for data security. We all have a role to play in protecting our data.
It is important to be aware of the latest threats. We need to stay up-to-date on the latest cyber threats so that we can take steps to protect ourselves.
We are proactive in our approach to security. We cannot wait for something to happen before we take action.
We are creative in our solutions. There is no one-size-fits-all approach to security. We need to be creative in our solutions to address the specific challenges that we face.
We are open to feedback. We need to be open to feedback from our customers, partners, and other stakeholders so that we can continuously improve our security posture.
The SOC 2 audit is rigorous and keeps us in accordance with the American Institute of Certified Public Accountant standards. Our level of enterprise-level security is certified through this process. We are proud to have completed this work, and are excited to share this with our customers. Data security remains our priority, and our SOC 2 audit shows that our tech backs up this key value of our company.
