3 Things to Know About SOC 2 Compliance and Cloud Providers

By Daniel Lassell | February 8, 2018

#1: What Is the Difference Between SOC 1, 2 and 3?

The Service Organization Control (SOC) is a standard of compliance that has three types of certification, aptly named SOC 1, SOC 2 and SOC 3.

SOC 1 is primarily meant for banks, investment firms and other such companies that house financial data, and SOC 2 is for non-financial companies that house or process data, which could happen to be financial or otherwise. It’s this latter certification that software and cloud providers often use to verify their technology controls and processes. Auditors for the SOC frameworks check to be sure of security, accessibility and data protection, using The American Institute of CPAs (AICPA) as their background for standards and Trust Principles.

SOC 3 stands apart from the other certifications, because it doesn’t focus on validating controls and operations. It’s intended for more general purpose disclosures and public visibility (as they don’t typically include confidential info), auditing organizations under the SysTrust and WebTrust seal programs. This certification is usually ideal for organizations that simply want to market a product in comparison to marketplace standards.

#2: Why Is SOC 2 Important for Cloud Providers?

Obtaining a SOC 2 certification is a rigorous process, since a third-party CPA firm comes to the vendor’s datacenter site and performs an assessment of their availability and security stance. The assessment covers things like infrastructure, IT system controls, security protocols, recovery process, etc. Basically, the auditor reviews the vendor’s setup and process and determines the effectiveness of their service to clients.

This certification is meaningful to clients because it verifies that a cloud provider effectively implements and practices what they’re advertising. Even if the client doesn’t have compliance requirements, a SOC 2 report functions as a written form of assurance that the vendor is protecting their data. This is particularily useful to companies that are assessing potential cloud providers, since reading the report gives them transparency for what to expect of the provider.

Migrating from managing your own datacenter(s) to considering cloud hosting options–public, private or hybrid—can create fear and uncertainty. A SOC 2 report provides validation of what are likely the most critical concerns about security and process control. It can also serve as a basis for asking deeper questions of a provider as it relates to SOC 2 or other compliance frameworks.

SOC 2 will often lay the groundwork for other compliance frameworks, as being SOC 2 compliant can align foundationally as a means for the cloud provider to support other compliance standards for data protection and security. For example, a SOC 2 report can even include supplemental materials and addendums to help clients understand the stance of related frameworks, such as the HIPAA Security Rule. This is important because a cloud hosting or recovery provider can only provide a solid basis for enabling its clients to achieve their own regulatory requirements such as HIPAA, PCI or GDPR. Be sure they can articulate which responsibilities are “yours, mine or ours.”

#3: Why Is InterVision Dedicated to Being SOC 2 Compliant?

Each year, InterVision engages independent and qualified assessors to examine our recovery and hosting solutions, datacenters, controls, and security and operational policies for SOC 2 certification. It verifies for us that we can deliver on our promises to clients.

We commit ourselves to supporting our clients’ need for their sensitive information to be both secured and available for use at all times, and many fall under hard regulatory and compliance requirements. With the foundation of our SOC 2 Type II audit that includes a HIPAA compliance addendum plus EU-U.S. and Swiss-U.S. Privacy Shield certification, we are able to support our clients’ needs if they’re tasked to meet compliance frameworks such as HIPAA, PCI-DSS or GDPR.

For SOC 2 Type II, we are excited to have achieved this certification for the ninth year in a row. We believe this accomplishment and our success in supporting our clients’ compliance and security obligations speak to our ability to execute data protection in alignment with client objectives and demands. Compliance certifications like SOC 2 are just one way we can hold ourselves to the highest industry standards.

Additionally, we have the highest client satisfaction in the industry for our Disaster Recovery as a Service (DRaaS) solutions with a rolling 12-month Net Promoter Score of over 80 and a near 5 out of 5 stars on G2 Crowd, a customer review site. To read more about InterVision’s unique recovery solutions, visit our DRaaS webpage. If you’d like to learn more about DRaaS, download our Ultimate Guide to DRaaS.

As always, we are happy to answer any questions you might have about SOC 2 compliance, or if you’re curious about Disaster Recovery as a Service (DRaaS) and how it can assist your organization in meeting IT resiliency objectives. Drop us a line here.