LinkSquares is proud to announce that it has successfully undergone a Service Organization Control (SOC) 2 Type II examination by an independent, 3rd party auditor. We wanted to provide an overview of what this is, what it means for our customers, and why it’s important. The short answer is that SOC 2 is proof that your customers can rely on you. For the long answer, read on.
Let's break it down.
What is a "service organization?" It's a company with whom you have an ongoing relationship, because it provides services you rely on. Your electrical utility, your internet service provider, your bank, or every Software-as-a-Service vendor you deal with is a service organization. If that service goes down, your business will suffer.
That's where the "control" part of service organization controls comes in. Controls are processes, policies, and plans that service companies use to deal with unexpected challenges. Controls are the internal rules and regulations your service providers set up to make sure their problems don't become your problems. Everything from hacker attacks to power outages to the outbreak of a global pandemic is addressed with a specific, SOC-prescribed internal control with the ultimate goal of preventing customer service interruptions.
So, what is SOC 2, and how is it different from SOC 1?
The SOC standards were developed by the American Institute of CPAs -- accountants -- so it should come as no surprise that SOC 1 deals with having good internal controls around financial reporting. The SOC 1 standard guards against potential bankruptcy, embezzlement, fraud, and similar fiscal concerns.
SOC 2 came later, when it became clear that two of the biggest risks modern businesses face are failure of their information technology and a breach of their information security. SOC 2 prescribes controls for keeping your data and information services secure and operational. Server failure, internet outages, and rogue IT employees are all addressed by SOC 2 controls.
A SOC report is documentation of these controls, but there are two types of SOC reports: Type I and Type II.
A Type I report is self-administered. A company gets ahold of the SOC standards manual and documents (or adopts) all the policies and procedures they use to enforce the required controls. Basically, these companies write down their plan for preventing unscrupulous employees or unpreventable disasters from interfering with their business. A Type I SOC report is proof a company has given serious thought to how they would prepare for worst-case scenarios and prevent service interruptions for their customers.
But, as a wise person once said, "trust, but verify." That's where a SOC Type II report comes in.
After a company has developed their Type I SOC plan, they have to actually enforce all the controls they laid out in that report for at least six months, and have that enforcement verified by a third-party auditor.
A Type II SOC report is proof that a company is actually following its own preparedness plans.
So that SOC 2 Type II report that LinkSquares would be glad to share? It's proof that we take information security very seriously, and that a third-party auditor confirmed we are adhering to the necessary controls to keep your information safe and our Software-as-a-Service reliable.
Every SaaS vendor should have a SOC 2 Type II report they're ready to show you. And if they don't, you should insist on their achieving that as part of your client contract.
If you'd like to see our SOC 2 Type II report (or you'd like a secure, reliable SaaS tool that can help you monitor the SOC requirements of client and vendor agreements) contact LinkSquares today.
At LinkSquares, we take security and safeguarding customer data extremely seriously. We're proud to partner with companies like Vanta to provide the highest level of trust and security to our customers.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.