What SOC 2 Compliance Means for Your Cloud Data

Companies of all sizes and across all industries are investing in cloud computing resources, but there is still apprehension around the level of data security in the cloud. This makes perfect sense: IT departments and consumers should be mindful of how their critical cloud data is being protected.

The good news is that today’s major cloud vendor players are on the same side, going through extensive audits and other regulations to ensure that their customers’ data is as secure as possible. With all the security regulations for cloud vendors, the cloud may actually become a safer place to store data than on-premises software (i.e., software that is installed and run within the physical location of an organization).

At Inkling, for example, we recently completed the (fittingly) long process to become SOC 2 Type 2 compliant.

What is SOC 2 compliance?

SOC 2 Type 2 compliance is crucial–if not required–for any vendor to work with larger, enterprise-level organizations. This level of compliance is verified by an independent audit firm,

examining the company’s methods and process of security, availability, processing integrity, confidentiality, and privacy against a pre-defined standard set by the American Institute of Certified Public Accountants (AICPA).

As enterprise organizations have more stringent data security standards, vendors that are SOC 2 Type 2 compliant have a leg up over vendors who are SOC 1 compliant (or, worse, not compliant with any security standards).

What’s the difference between SOC 1 and SOC 2 compliance?

There is a common misconception in the industry as to the difference between these types of compliance. SOC 1 (or SAS 70, or SSAE15) compliance is more focused on the security of the financials of a cloud vendor. A vendor with SOC 1 compliance means that the vendor created a set of criteria and then passed the audit. In other words, the vendor creates the test that it needs to pass.

SOC 2 compliance tests if there are information security controls around the data. It’s a newer audit and is much more comprehensive compared to a SOC 1 audit. It is a third-party verification process that validates a company’s compliance to a set of objective standards. The standards are based on AICPA criteria, to ensure that your cloud-based data is protected.

The takeaway is clear: If you’re a major enterprise company, or a company that cares deeply about the security of your cloud-based data, seek a vendor with SOC 2 compliance.