Announcing Datafold's SOC2 Type II Report
Our journey towards SOC2 type II
It is official! We are now SOC2 type II compliant. Actually, this time, the process was not as intensive as the other audit run we did for SOC2 type I compliance, mostly because all controls and policies were already in place. The majority of the effort was ensuring the policies were being followed and going through some of what they call populations and samples to confirm to the auditor the controls are effective. Because of that, the audit went extremely smooth and the final report was delivered four weeks ahead of schedule.
What SOC2 type II compliance means for our customers?
What makes the type II certification so important is that it helps to ease the onboarding process. When two companies meet and want to engage in business together, their security teams need to exchange information to understand how the data of their company is processed and what controls are in place to protect access to their data. The exact policies that companies apply differ, but some companies require a questionnaire to be filled in if the company is not yet SOC2 compliant.
The security officer ends up filling in these questionnaires and this is a lengthy process, where in some questionnaires you cannot just answer the question, but also must provide references to where the policy or control is documented. Some of those questionnaires have 250+ questions. In essence, questionnaires can feel like mini audits.
So what the type II certification helps us to do is to reach consensus on the security posture more quickly, so that onboarding of companies using our service can happen faster and with lower friction.
What does the SOC2 type II say about our security?
The SOC2 report provides information on what was audited and the controls Datafold has implemented to address security. For example SOC2 verifies that Datafold has:
- Monitoring for our systems in terms of system load, availability, monitoring of backups.
- Annual policies to reevaluate system risk assessments, personnel appraisals, annual renewals of security awareness, etc.
- Internal access controls to our production environment
- Disaster recovery procedures, data backups and incident response procedures, exercised at least annually
- Communication between Datafold and our customers about software changes, security concerns and policy changes.
- Internal procedures related to calling out security incidents
- Procedures and specifications for encryption of data in rest and in transit.
We are proud of achieving the report. It demonstrates our security by design approach to our software development process and our serious attitude towards keeping our customers data safe.