Lessons learned: Findem achieves SOC 2 Type II certification
Security is a top priority at Findem, because people data is at the heart of our platform. We pride ourselves on our robust controls and our responsiveness to customer security requirements.
As a fast growing startup, we needed a sustainable way to quickly and efficiently satisfy security and compliance requirements for our customers.
That’s why Findem is proud to announce our SOC 2 Type II certification in compliance with AICPA standards for security, availability, and confidentiality.
What Is SOC 2 Type II?
SOC 2 is a certification program established by AICPA that demonstrates an organization’s ability and commitment to managing customer data across security, availability, processing integrity, confidentiality, and privacy.
SOC 2 Type I certification verifies adherence to the standards at a moment in time. SOC 2 Type II monitors systems over a period of several months to ensure that security policies are being enforced properly.
Findem’s SOC 2 Type II certification verifies that we have well defined controls, processes, and policies in place with respect to security, confidentiality, and availability. It is our next step after achieving SOC 2 Type I certification, solidifying our commitment to security in operations.
Lessons Learned
Obtaining SOC 2 is a major milestone for any organization, but the time and investment required can’t be ignored. Here are a few of our lessons learned from the process:
Automate as much as possible
We chose to partner with Vanta to streamline the process. Vanta automates required controls and collection of up to 90% of the evidence needed for the audit. They provide a secure site to upload the rest of the documentation needed. Their support and guidance was essential for an organization our size.
We estimate that Vanta reduced the prep time for our audit from months to weeks.
Choose auditors with extensive experience in SOC 2
We worked with Johanson Group LLP as our auditors. They audited the data collected and the reports produced by Vanta as well as documentation produced by our team.
For example, our team developed security policies and a business continuity plan. The auditors ensured that these policies and procedures meet the standards for SOC 2 compliance.
Plan to have a DevOps engineer and IT manager available
The IT manager is generally responsible for collecting data and answering questions with regard to employee equipment and internal procedures. The DevOps engineer responds to questions related to servers, cloud infrastructure, and security policies. Both work closely with auditors and need to be available to speed your audit.
Make compliance a continual process
We began our SOC 2 audit process in January 2021. We’re proud to have progressed from Type I to Type II and established the necessary controls for security, availability, and confidentiality. We are now committed to making this an annual process, as well as expanding our efforts to include privacy and operational integrity.
SOC 2 Type II Certification Achieved
Findem is serious about security. We are committed to meeting industry standards with rigorous review and monitoring. SOC 2 Type II compliance is essential to the growth and credibility of our company. To obtain a copy of our certification, please contact us.