Learn About SOC 2
SOC 2 is a compliance standard (not a certification) that specifies how companies should manage general customer data. SOC 2 guidelines are built on five sets of standards.
Frequently Asked Questions
What is SOC 2?
SOC 2 (Service Organization Control) is the standard of the AICPA that is widely considered the benchmark for trust in the cloud industry.
What are the five sets of SOC 2 standards?
How many types of SOC 2 compliance exist?
There are two types of SOC 2 compliance – Type 1 and Type 2.
Type 1 is point in time, whereas Type 2 is assessed over a period of time, and therefore more difficult to achieve.
Why is SOC 2 important?
Demonstrating that you’re SOC 2 compliant is important because it demonstrates that your company has adequate, effective controls in place to govern how information is handled within the business.
This is a more reliable process than simply giving your word to enterprise clients that you have sufficient security protocols in place to protect sensitive general data, since a SOC 2 audit is performed by an independent third-party auditor.
In turn, this adds tangible credibility to the security features that your company has in place.
Is SOC 2 compliance mandatory?
SOC 2 is a voluntary compliance standard, however that doesn’t mean your company won’t need it.
Some enterprise clients that deal with large volumes of data may require partnering companies to remain SOC 2 compliant, in order to ensure every possible protection is in place to secure their confidential data and prevent data leaks.
It may be a mandatory requirement for future partnerships, so it’s a good idea to ensure that your business remains SOC 2 compliant.
Who must comply with SOC 2?
Organizations that work in service and either process or store sensitive client data should consider a SOC 2 audit and maintain compliance.
Because SOC 2 has been largely accepted as an important part of the United States standard for information security, the number of companies being asked to undergo a SOC 2 audit and remain SOC 2 compliant continues to grow on an annual basis.
What is a SOC 2 audit?
A SOC 2 audit report offers in-depth information about how well a service organization is meeting the five SOC 2 sets of standards: confidentiality, security, processing integrity, privacy controls, and availability.
The audit should be performed by a licensed CPA firm, or if a third-party company that isn’t CPA licensed is performing the audit, they must have a CPA firm sign-off on the audit after it’s completed.
How do I become SOC 2 compliant?
If you’re interested in your business becoming SOC 2 compliant, you’ll need to hire a third-party auditor to visit your business and perform a SOC 2 audit.
A useful first step towards getting SOC 2 compliant is signing up to use the MedStack platform for your business, since we take steps to ensure the SOC 2 compliance process goes as smoothly as possible for your company.
How can MedStack help with SOC 2 compliance?
MedStack does an annual Type 2 SOC 2 report, which covers our entire platform. We achieved Type 1 compliance in January of 2020, and Type 2 compliance in September of 2020.
Inheritable Security Controls
The security controls referenced in our SOC 2 reports are inheritable by our customers, which means that anyone using the MedStack platform for their business will be SOC 2 compliant.
Day 1 Evidence
For companies that need to become SOC 2 compliant across their own business, 70% of the controls necessary for SOC 2 compliance are already complete by running on the MedStack platform. We can provide evidence of that level of compliance on day one.
Save Costs and Time
For the remainder, companies require an auditor to fulfill the remaining requirements for full SOC 2 compliance (i.e., site visit, personnel and administrative requirements, etc.), which would still result in being able to become fully SOC 2 compliant at a fifth of the cost and time.
Learn how our platform can help you become
SOC 2 compliant
We are the only platform that brings together compliance, security assessment responses, threat protection, and audit readiness into a complete offering, ensuring your application runs and manages data in the cloud with the highest privacy and security standards in mind.