A Beginners Guide to SOC2

We’re thrilled to announce that Released is officially SOC2 Type II compliant. Let’s walk you through what this means and share our journey to get to this point. If you're developing a SaaS product, this guide will provide a roadmap for your SOC2 certification journey.

What is SOC2?

SOC2, or System and Organization Controls 2, is a compliance standard developed by the American Institute of CPAs (AICPA). It evaluates companies on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

Why SOC2 Certification?

The main reason we pursued SOC2 certification is straightforward: earning customer trust. When customers entrust us with their data, they expect top-notch security measures. Achieving SOC2 compliance not only showcases our dedication to data security but also saves us from repeatedly filling out those lengthy 140+ question security questionnaires.

SOC2 is Not an Enterprise Feature

Many companies limit access to their SOC2 reports to Enterprise customers, assuming only large organizations care about compliance. This approach is misguided. Startups also need compliance proof from their vendors. Forcing small companies to subscribe to Enterprise tiers is impractical. At Released, we provide SOC2 reports to all our customers, including those on the free tier, at no extra cost. We treat all customer data with the same high level of security and compliance. If you're working towards your SOC2 compliance, don't hide it behind an enterprise tier.

Our Journey to Certification

We kicked off our SOC2 journey just six months after launching Released. Even though we only occasionally got security questionnaires and SOC2 questions, we knew getting a head start would make things easier. It took us less than two months to prepare for the audit, and having these practices and standards in place early has been a game-changer. It’s much better than trying to catch up when the company is bigger. Here’s how we did it:

Choosing a Compliance Monitoring Tool

We evaluated several tools that integrate with our cloud providers, task management systems, and identity and HR providers to simplify the monitoring, collection, and submission of evidence for auditors. After narrowing down the list to Vanta and Drata we ended up choosing Vanta. Vanta’s support for multiple compliance standards and their connection to our network of Atlassian Ventures companies influenced our decision.

Selecting an Auditor

With Vanta set up, we started looking for an auditor. When choosing a SOC2 auditing firm, look for one with extensive experience, a solid reputation, and relevant certifications. Make sure they understand your industry, offer clear communication, and are familiar with the compliance monitoring tool you picked. Also, consider their pricing, flexibility, and the level of support they provide both during and after the audit.

A few companies in our network recommended Prescient Security. We ended up choosing them for their competitive pricing and experience with similar SaaS companies. The audit kicked off with a review of our systems in scope and setting a date.

SOC 2 Type I vs Type II

One decision you'll need to make is whether to pursue SOC 2 Type I or Type II for your initial certification.

• SOC 2 Type I reports evaluate a company’s controls at a single point in time. It answers the question: are the security controls designed properly?

• SOC 2 Type II reports assess how those controls function over a period of time, generally 3-12 months. It answers the question: do the security controls a company has in place function as intended?

Although you can get a Type I report much faster, Enterprises want to see that you're actually following through on your stated policies. Type 1 will not cut it in most cases. That’s why we decided to go straight for Type 2 with a three-month audit window.

Key Takeaways

• Early Preparation: Starting early was crucial. We recommend beginning your compliance journey as early as possible in your journey.

• Customizing Controls: Not all controls apply to every company, especially smaller ones. It's acceptable to disable certain controls and provide explanations tailored to your specific context.

• Utilizing Tools: Compliance tools like Vanta are invaluable for ongoing monitoring and evidence collection, especially for maintaining Type 2 compliance over time.

• Go straight for Type 2: Yes, Type 1 will give you a certification earlier. But for most Enterprises, it’s not sufficent. Save the additional money and go straight for Type 2.

Lessons Learned

1. Automation and Manual Effort: While tools like Vanta automate many tasks, some evidence collection remains manual. Be prepared for this.

2. Auditor Collaboration: Engage with your auditor early to understand relevant controls and avoid unnecessary work.

3. Custom Policies: We adapted Vanta’s templates to fit our needs, ensuring that our policies were practical and meaningful rather than merely ticking boxes.

Launching Our Trust Center

We are excited to launch our Trust Center, showcasing the measures we take to safeguard your data. You can view our audit reports on our security portal or reach out to us at support@released.so for more information.

By sharing our experience, we hope to provide a clear path for other companies aiming for SOC2 certification. At Released, we are committed to maintaining the highest standards of security and compliance to protect our customers and their data.