According to the American Institute of CPAs (AICPA), SOC stands for Systems and Organization Controls. All SOC reports are written evaluations of the level of data security a service organization has.
For a company like Convictional that deals with sensitive data for major retailers, distributors, and other B2C and B2B marketplaces, being SOC 2 compliant communicates that we have secure internal controls and our business partners can trust us to handle their customers’ confidential information, like names and addresses.
However, unlike SaaS companies that have specific points of focus for their customers, Convictional is a platform. Thus, we store proprietary business information across our network, such as who is trading with whom, and the order volume associated with those relationships.
Convictional handles data for major retailers, distributors and aggregators. This data includes consumer personal information, like name and address, and proprietary business information, including who is trading with whom and the order volume associated with those relationships. It’s important to us and to our customers that we’re handling that data with a high degree of information security and confidentiality, in a reliable way, and have a way to communicate that competency.
What’s the difference between SOC 1 & SOC 2?
According to the American Institute of Certified Public Accountants, SOC Type I is a one-time audit. But our more rigorous customer engagements require us to be compliant at all times. Because of this we chose to undergo SOC Type II. In this process we gave an auditor random access to monitor our security controls for a certain period of time.
SOC Type II provides the most complete view of our compliance posture because it is conducted over an extended time period. We need to demonstrate continuous success in adhering to the requirements of the SOC 2 trust services criteria.
Why Convictional underwent the SOC 2 process
Most of what is required under SOC2 is actually beneficial to quality software engineering and operating effectiveness. A lot of it has to do with derisking a service organization’s controls and processes, such as change management of software code, ensuring changes are reviewed for security implications and unauthorized access, internal checks and balances on HR systems and people practices, and team training.
It’s what any software company wants to be doing anyways in order to work with enterprise customers. Because of this, we didn’t feel a lot of friction when it came to implementing the trust services principles in practice. The SOC 2 standards served as a pretty handy guide to understand the level of rigor our customers valued, and how we could continuously stick to those things.
Trust is hard fought, and easily lost as a startup working with some of the largest, oldest and more operationally mature companies in our industry. Convictional’s SOC2 Type II compliance shows existing and future customers that we take compliance seriously - sometimes even more so than they do.
How Convictional approached our SOC 2 audit
Convictional formed a small committee of one of the founders, two software engineers and our HR manager.
This group broke down and implemented the compliance requirements of the program. We did this over the course of six months until our posture was sufficient to address all the controls and best practices prescribed by SOC2.
Once we had done about 80% of the typical requirements, we engaged Vanta to support us in continuous monitoring of the program, and to advise us on addressing the remaining 20% of open issues.
How we chose trust service providers
We chose to partner with vendors that supported our goal of adhering to a SOC2 compliant posture.
- Vanta - an audit prep provider who also happens to provide continuous compliance monitoring
- Federacy - a penetration testing and bug bounty program administrator and a continuous external vulnerability scanning provider
- Detectify - an external vulnerability scanning provider to constantly monitor for external vulnerabilities in our services and alert us
- Google Cloud Platform - our data center service provider with cloud computing functionality
All together this formed the stack of technologies required. This ended up serving our needs well and putting us in the best position to demonstrate our compliance to auditing standards.
Our audit report timeline
The full process took us about 14 months from realizing the importance of compliance with SOC2, research and understanding the implications, making the decision around timing, and then implementing it.
Once we had the basics in place, the audit prep took a little over a month, followed by a 4-month monitoring period. From there it only took 1 more month to put together the various assertion letters required to demonstrate our risk management posture.
SOC 2 proves Convictional’s internal controls & processing integrity
"As a storied retailer, with a sought-after clientele, we emphasize rigorous protection of our customer data. We're proud to partner with a modern technology provider that demonstrates that same commitment while helping us move at the speed of a startup."
— Stephen Jackson, EVP/CIO Harry Rosen
Because we’re a startup we can move fast and thoughtfully about compliance. This is what big companies value about partnering with startups. For example, we are now working to offer features like access controls and single sign-on (SSO) authentication for our customers as well.
Undergoing the 14-month process of getting SOC 2 certified means we take security, availability and confidentiality of data and financial information seriously. The extended, random audit process also proves that also we take these things seriously enough to practice them every day, not just on a single audit day.
Contrary to popular opinion, we’re glad we underwent our SOC 2 early in the lifecycle of our business and product development efforts. It’s better to have these practices in place before they become a hard and fast requirement in our deals.
Being SOC 2 also aligns us with compliance, risk and security groups inside enterprise accounts, without having to engage in the time-consuming scope of vendor questioning each time.
Our goal is to hold constant the quality of our existing security posture and to improve it as issues arise and our practice gets more mature. Finally, we’re working on automating or finding vendor partners who can help us to reduce the burden of the compliance activities themselves.
We’re extremely proud to be great at crucial things like these within our control. If we do this right, we can continuously improve our compliance posture without requiring external motivating factors, and start to progress the definition in our chosen domain.