We’re proud to announce that CosmoLex has completed SOC 2 Type 1 attestation! These heightened security standards will better serve our clients and the people they work with—and we are excited to share more about the process and what it means for you.
What is SOC 2?
Service Organization Control (SOC) 2 is an auditing process that helps cloud companies better assess data privacy and security standards. It’s specifically designed for service providers storing customer data in the cloud. This means SOC 2 applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information.
The level of security provided by SOC 2 attestation isn’t mandatory—it’s optional. But putting it into place means we’re committing ourselves to robust security policies that third-party, certified SOC 2 auditors validate.
Trust Services Criteria
SOC 2 guides companies in securing customer data through five principles, known as the Trust Services Criteria. Not all of these principles apply to every company. Part of the SOC 2 attestation process for CosmoLex included determining how and if they applied to us:
Protect the company’s system from unauthorized access. This includes strong data controls and a focus on reducing the risk of data exfiltration—whether on purpose or by accident. The company also needs to make sure they validate data integrity.
They should make use of:
- Multi-factor authentication
- Phishing filters
- Managed detection and response services
- And more when available
How accessible are the company’s services and systems? They should monitor network traffic and performance closely and adhere to Service Level Agreements (SLAs). The company should also have breach and response plans in place.
Confidentiality rests on responsible data management. The company should have a complete picture of where their data resides and should use encryption at rest and in transit. Private data must be handled extremely carefully—and it must not be accessible to any unauthorized person or organization.
The company also needs to review how data is handled and processed. Real-time monitoring and quality assurance are both necessities.
Data should be accurate, complete, and promptly accessible. It should also be validated to prevent unauthorized access.
Privacy of customer data
The company’s privacy notice should be complete and accurate. It should also address:
- What data is being collected
- How data is stored
- How data is used
- Who data may be shared with
- How data is disposed of
It’s especially important that the company flag and guard personally identifiable information (PII) against unauthorized access.
Our history and journey to SOC 2
Since its inception, CosmoLex has kept very high standards in internal processes, policies, and security when it comes to handling customer data. However, while we’ve always handled user data securely and answered any questions as they arose, there was no way for customers to validate that we were indeed doing what we said we would.
To show our dedication to secure data handling, we started looking into how to develop a more standardized approach and offer third-party validation of our security promises—and thanks to a thoughtful comment at a meeting from board member, Jim Eberlin, we landed on SOC 2.
A team effort
We put together a team to move us forward on this journey, and started with many questions, such as: do we want SOC 2 Type 1 or Type 2? Do we want SOC 2 attestation for a single product or service or the entire organization?
We met twice a week to go over the information we’d collected and jot down findings and what we’d learned. From there, we downloaded the SOC 2 policy template and started to explore. Our team knew that our already robust security measures were a good fit to meet the requirement of SOC 2 attestation.
After we set our goals, we determined the appropriate scope for CosmoLex, including which Trust Services Criteria applied to our situation.
As part of the process, we also interviewed more than twenty tool vendors, auditors, and consultants based on our criteria. (As we said, we were committed to the process!) We ranked them individually in terms of their fit—and selected VGS (Very Good Security) as our control platform and Armanino as our auditors.
Then, we organized our materials, conducted a self-audit and set up self-monitoring to keep in compliance as we awaited the SOC 2 auditor.
SOC 2 attestation
And then, the audit! The American Institute of Certified Public Accountants (AICPA) stipulates that only an independent Certified Public Accountant (CPA) is qualified to perform the SOC 2 audit, though the auditor may engage an independent, certified SOC 2 specialist.
Learning that we passed the audit and achieved SOC 2 attestation was a true moment of joy for our company. The path to this achievement was made possible by our long-term goal to protect our clients’ data and all that we value at CosmoLex. We are deeply grateful to our entire team, who made this happen. Kudos!
Value for our clients
It’s important to us that our users feel comfortable trusting us with their data. In fact, it’s not too different from parents finding the right daycare for their kids. Just as parents would want to make sure their children are well-cared for at daycare, so we understand our clients want to know their data is in good hands with CosmoLex.
SOC 2 attestation provides an assurance to CosmoLex clients or anyone who is looking to migrate to the cloud in the future that when we manage their data, all the security protocols are in place and being followed.
Robust security with SOC 2
For us, SOC 2 is about putting in place well-defined policies, procedures, and practices—not just ticking all the compliance checkboxes with point solutions. Internally, this process validates how seriously we take our clients’ trust and security.
Whereas other compliance mandates, such as SOC 1 for financial services, have simpler reporting schemes, SOC 2 requires long-term, ongoing internal practices that ensure the security of customer information. And that’s at the core of how we operate in every aspect of our company. But it doesn’t stop there. We have already kicked off SOC 2 Type 2 attestation which is to further validate our ongoing commitment to customer data security and platform viability.
CosmoLex has adopted SOC 2 standards because we’re committed to our users and their data security. We appreciate your trust in us and are dedicated to continuing to earn it with sound security every moment of every day.