SOCi takes the security of the information entrusted to it extremely seriously and devotes significant resources to its care. SOCi proves its security commitment by having yearly rigorous, independent third-party assessments done, using a universally recognized standard of compliance called a SOC 2 Assessment (Service Organization Control 2).
SOCi has a highly complex information systems infrastructure and great care has been taken in protecting the information entrusted to SOCi by its clients. We take the security and privacy of your information extremely seriously.
A sound Information Security Management System (ISMS) includes both technical controls and organizational controls, and SOCi has implemented an advanced ISMS, based on a broad and ongoing risk assessment and constant attention to evolving risks and threats.
- SOCi utilizes best practices and industry standards to ensure that its information systems remain secure
“Controls” are formal activities or systems put into place to reduce either the impact of an adverse event, or the probability of that event occurring. These controls break down into “organizational controls” and “technical controls”.
- SOCi has implemented a broad and comprehensive set of security controls called The Common Criteria Controls that are consistent with the requirements of the American Institute of CPAs (AICPA) requirements for “Trust Services Criteria for Security, Availability, Processing Integrity and Confidentiality”.
The protections implemented at SOCi include, but are not limited to, the following controls:
- A Chief Technology Officer (CTO) well-versed in security and responsible for all aspects of technology, including security
- A Virtual Chief Information Security Officer (vCISO) responsible for advising on all security matters
- An ongoing Security Awareness Education (SAE) program required for all SOCi staff and contractors
- A comprehensive set of policies and procedures ensuring that security objectives and direction from senior management are communicated and implemented throughout the organization
- An annual independent third-party professional assessment of all technical and organizational controls conducted by a highly-qualified third-party auditor, – a “System and Organizational Controls Report” (SOC 2)
- Industry-standard best practices related to operations, including change management and application development
- Reliance upon Amazon Web Services (AWS) which deploys a highly secure, monitored and tested infrastructure
- Strong encryption for the transmission of all sensitive data, using Transport Layer Security (TLS)
- Ongoing and constant monitoring of systems and infrastructure
- Regular vulnerability assessments performed by a qualified independent third party
- Use of endpoint protections on workstations to prevent virus and malware infections
- Backups of all critical systems, and a comprehensive disaster recovery capability\Use of standard network and system protections including next-generation firewalls and intrusion detection/prevention systems (IDS/IPS)
- A wide variety of technical systems and processes designed to prevent an adverse event before it occurs, or to limit its impact if it does.
- Identity access and management controls to ensure that only authorized people have access to data
Vertical Industry Security Requirements (i.e. HIPAA & FINRA Compliance)
Many companies have industry-specific security requirements such as HIPAA for medical services and FINRA for some financial services. While these requirements vary from industry to industry, all of them are broadly consistent with the stringent controls that SOCi has already put in place. SOCi verifies these controls using the widely-accepted SOC 2 report, which can be presented to clients requesting validation of SOCi’s security posture. This audit is performed by a highly-qualified third-party auditor, ensuring a totally independent assessment of SOCIs security.
Additionally, these controls can be mapped to other industry-specific requirements as needed. For example, although SOCi is not a “covered entity” and therefore not itself required to adhere to HIPAA regulations, SOCi demonstrates its alignment with HIPAA controls through its 2020 SOC 2 report which includes a direct mapping to necessary HIPAA controls. A standard HIPAA Business Associate Agreement (BAA) addendum may be added to your contract upon request.
This approach allows SOCi to demonstrate that while SOCi itself may not be required to adhere to clients’ industry-specific requirements, SOCi has the ability to protect their clients’ data consistent with the requirements of specific industry regulations.
To request a copy of SOCi’s SOC 2 report, contact your Account Executive or Customer Success Manager. If you have any questions or concerns about SOCI’s security, please contact us at firstname.lastname@example.org.