SOCi takes the security of the information entrusted to it extremely seriously and devotes significant resources to its care. SOCi proves this security commitment by having yearly rigorous, independent third-party assessments done, using two universally recognized standards of information security compliance: a SOC 2 Assessment (System and Organization Controls 2 Type II) and ISO 27001:2013 certification.
SOCi has a highly complex information systems infrastructure and great care has been taken in protecting the information entrusted to SOCi by its clients. We take the security and privacy of your information extremely seriously.
A sound Information Security Management System (ISMS) includes both technical controls and organizational controls, and SOCi has implemented an advanced ISMS, based on a broad and ongoing risk assessment and constant attention to evolving risks and threats.
- SOCi utilizes best practices and industry standards to ensure that its information systems remain secure
“Controls” are formal activities or systems put into place to reduce either the impact of an adverse event or the probability of that event occurring. These controls break down into “organizational controls” and “technical controls”.
- SOCi has implemented a broad and comprehensive set of security controls called The Common Criteria Controls that are consistent with the requirements of the American Institute of CPAs (AICPA) requirements for “Trust Services Criteria for Security, Availability, Processing Integrity and Confidentiality”. SOCi has additionally deployed all controls required for ISO 27001:2013 certification
The protections implemented at SOCi include, but are not limited to, the following controls:
- A Chief Technology Officer (CTO) well-versed in security and responsible for all aspects of technology, including security
- A Vice President of Information Security and Compliance responsible for all security matters
- An ongoing Security Awareness Education (SAE) program required for all SOCi staff and contractors
- A comprehensive set of policies and procedures ensuring that security objectives and direction from senior management are communicated and implemented throughout the organization
- An annual independent third-party professional assessment of all technical and organizational controls conducted by a highly-qualified third-party auditor, – a “System and Organizational Controls Report” (SOC 2)
- An annual independent third-party professional assessment and certification against the internal standard ISO 27001:2013
- Industry-standard best practices related to operations, including change management and application development
- A formal Information Security and Privacy Management Committee including members of senior management to ensure that information security is prioritized from the top down
- Reliance upon Amazon Web Services (AWS) and Google Cloud Platform (GCP) which deploy a highly secure, monitored, and tested infrastructure
- Strong encryption for the transmission of all sensitive data, using Transport Layer Security (TLS)
- Ongoing monitoring of systems and infrastructure
- Regular vulnerability assessments performed by a qualified independent third party
- Annual penetration testing of our platform by a CREST-certified security assessment firm
- Use of endpoint protections on workstations to prevent virus and malware infections
- Backups of all critical systems, and a comprehensive disaster recovery capability\Use of standard network and system protections including next-generation firewalls and intrusion detection/prevention systems (IDS/IPS)
- A wide variety of technical systems and processes designed to prevent an adverse event before it occurs, or to limit its impact if it does.
- Identity access and management controls to ensure that only authorized people have access to data
Vertical Industry Security Requirements (i.e. HIPAA & FINRA Compliance)
Many companies have industry-specific security requirements such as HIPAA for medical services and FINRA for some financial services. While these requirements vary from industry to industry, all of them are broadly consistent with the stringent controls that SOCi has already put in place. SOCi verifies these controls using the widely-accepted SOC 2 standard, which can be presented to clients requesting validation of SOCi’s security posture. This audit is performed by a highly-qualified third-party auditor, ensuring a totally independent assessment of SOCI’s security.
Additionally, these controls can be mapped to other industry-specific requirements as needed. For example, although SOCi is not a “covered entity” and therefore not itself required to adhere to HIPAA regulations, SOCi demonstrates its alignment with HIPAA controls through its 2020 SOC 2 report which includes a direct mapping to necessary HIPAA controls. A standard HIPAA Business Associate Agreement (BAA) addendum may be added to your contract upon request.
This approach allows SOCi to demonstrate that while SOCi itself may not be required to adhere to clients’ industry-specific requirements, SOCi has the ability to protect its clients’ data consistent with the requirements of specific industry regulations.
To request a copy of SOCi’s SOC 2 report or our ISO 27001 certificate (reproduced below), contact your Account Executive or Customer Success Manager. If you have any questions or concerns about SOCI’s security, please contact us at email@example.com.
To download a copy of SOCi’s SOC 3 Type II report, please click here.
SOCi maintains a security bug bounty program for our systems and applications. For more information or to report a bug, please email firstname.lastname@example.org.