Skip Navigation Logo for: Exposure

What Does it Mean to be SOC 2 Compliant?

posted on

SOC 2 graphic

Website security is crucially important for businesses, both to safeguard the privacy of customers and to protect the business itself from security breaches.

Security measures like using strong passwords, being aware of scams that target small businesses, and upgrading your website to SSL/HTTPS technology are all key steps in keeping your site secure.

Another level of security is SOC 2 compliance. Developed by the Association of International Certified Professional Accountants (AICPA), Service Organization Control 2 (SOC 2) is a voluntary compliance standard that specifies how organizations should handle customer data.

SOC2  is not a required security measure for businesses, but using a technology provider—like a website hosting company, data center, or IT provider—that is SOC 2 compliant will demonstrate that you take data security seriously and have taken significant steps to keep customer data protected.

SOC 2 reports evaluate an organization’s security controls based on five Trust Services Criteria:

  1. Security: How well the organization protects information from unauthorized access.
  2. Availability: Whether the system performs well enough to maintain normal business operations.
  3. Processing Integrity: Whether the system performs predictably, consistently, and with no unexplained errors.
  4. Confidentiality: Protection of confidential information from collection through disposal.
  5. Privacy: Protection of personally identifiable information (PII) collected from customers.

Every organization decides which Trust Services Criteria to include in SOC 2 audits, depending on the specific needs of their business and industry, but in general a technology company that is SOC 2 compliant offers:

  • Better protection against cyber attacks and security breaches.
  • Restrictions to prevent unauthorized access to sensitive data.
  • Proactive threat detection to identify security weaknesses and unusual activity before data is lost.
  • Identification of any security risks so action can be taken immediately to neutralize the threat.
  • Detailed monitoring of ongoing operations to detect and resolve any deviations from standard security procedures.