We hold ourselves to a high standard at CertifID. It’s a part of everything we do, from how we build relationships with partners to our infrastructure and operations. That’s why I’m pleased to share our next achievement: SOC 2 Type II certification.

SOC 2 Type II certification represents a verified achievement of core security controls. We’ve proven — as determined by an independent team of auditors — that we have the proper cybersecurity procedures to safeguard sensitive data.

As CertifID’s Head of Security, Compliance, and IT, I’m thrilled to be recognized as a SOC 2 Type II organization. However, as a cybersecurity professional, I’m sensitive to the misinterpretations of SOC 2 certification and its reflection on product security. Robust internal processes and product effectiveness are two different ways of protecting your data.

So, what does SOC 2 certification mean for you, your business, and your end users? And what does it mean for us as a cybersecurity company? In this article, I’ll dive into what SOC 2 does — and doesn’t — mean and how you should use it to evaluate your vendors.

What is SOC 2 Certification?

SOC 2 — or Service Organization Control Type 2 — is a cybersecurity compliance framework for how a company manages customer data. SOC 2 is based on five trust services criteria defined by the American Institute of Certified Public Accountants (AICPA): security, availability, processing integrity, confidentiality, and privacy. It’s up to each company to define how their operations apply to these five criteria.

Achieving SOC 2 certification requires a year-long audit of systems and processes to ensure operational effectiveness. In other words, we’ve proven through multiple checks over a year that our data security processes and incident and response plans meet their intended purposes.

What are the misconceptions about SOC 2 Certification?

SOC 2 establishes security standards, but only for some aspects of a company's product.

SOC 2 certification does not mean an individual product is more effective at safeguarding your data. As I mentioned, it’s just one part of a layered approach to security. The security of a company’s products and services is a multi-faceted pursuit that extends far beyond just SOC 2 certification.

At CertifID, SOC 2 represents our base standard data security operating procedures — not our highest level of security. We continue to build layers of protection within our products and services on top of internal processes to keep your sensitive data secure.

‍What does SOC 2 look like at CertifID?

SOC 2 is a badge of trust that ensures we handle your data carefully. But how we apply that is even more important. At CertifID, we do that in many ways; here are two examples in practice.

We carefully audit third-party security.

While SOC 2 compliance is an essential step in enhancing a company's security, it does not guarantee complete immunity to all cyber threats, especially when working with other vendors. Recent high-profile data breaches have shown that vendor vulnerabilities can compromise a company's secure infrastructure.

At CertifID, we take your data seriously, and we make sure we only partner with vendors who do the same. We check their security practices thoroughly before teaming up with them. We only work with vendors with a proven track record of maintaining high-security standards.

We stress-test our incident and response plans.

It’s one thing to say you’ve got a plan; it’s another thing to prove it. SOC 2 requires a written action plan in the event of a data breach. Not only do we have a documented procedure, but we’ve put it to the test to ensure we can act quickly.

By pressure-testing our plans, we can ensure that we’re protected and adequately prepared to protect your data should anything happen.

We work hard to earn your trust.

At CertifID, we take cybersecurity seriously. It’s our business, after all. However, obtaining SOC 2 certification is just the first step. We will continuously work to improve our security operations to ensure that your data is protected and strive for better, safer security protocols at every step. 

Ultimately, this commitment to security is what you can and should expect from us. And as a current — or prospective — CertifID customer, we hope this gives you the confidence to focus on growing your business with us, knowing your data is secure.