Why SOC 2 Type II Certification Matters

‍To prove credibility, many tech companies turn to Service Organization Controls (SOC) reports. We’re SOC 2 Type II, and here’s why.

SOC 2 Type II MetaRouter

Share with others

To establish trust, many tech companies turn to Service Organization Controls (SOC) reports to earn a certification administered by an independent third party. With this certification, vendors can gain a quick understanding of exactly how seriously the company takes data security.

In today’s marketing and advertising ecosystem, vendors use third-party tags to collect the information necessary to operate their tools. For years, users—and sometimes organizations themselves—didn’t know who was collecting information, what information was being stored, or whether those third parties would use it for marketing or sell it to others. 

Our data should be protected

Over time, however, we’ve been warned of the precarious handling of our sensitive information: some popular vendors have gotten called out for collecting and sharing personal information, the totally legal(!) practice of data brokering has received air time, and the problem of advertising with third-party cookies has been exposed

This growing awareness of the insecurity of our user data has influenced or reinforced regulations like CCPA, GDPR, HIPAA, PCI DSS, and COPPA, which exist to protect personal information and address privacy concerns.

Organizations are accountable 

CCPA and GDPR specifically have been enacted in order to give users more control over all their personal information. For example:

CCPA is built on a consumer’s right to:

• Access data being collected about them 

• Control the sale of their personal data  

• Take recourse if their personal data is compromised 

GDPR is built on a consumer’s right to:

• Consent to use of data

• Obtain access to any personal information collected

• Request the deletion of personal information already collected

This implies an increasingly universal expectation that when a user visits an organization’s website, they should be able to trust that organization to protect their information. Which is why it’s imperative that organizations not only handle data with the utmost care but also trust their third-party vendors.

To do that, an organization must understand each third-party vendor’s individual stance on security. SOC makes that simple.

Quick SOC Overview

Trusting another entity’s information security procedures has been an issue for decades (at least!). In the early 1970s, the eventual creators of SOC, the American Institute of Certified Public Accountants (AICPA), released the Statement on Auditing Standards (SAS) 1. New versions were published through 1992. 

While this was an acceptable validation in the 70s and 80s, companies began to outsource more services, creating the need for an objective, trusted third-party to vet the individual security of each third-party vendor. 

In 2010, the AICPA announced the Statement on Standards for Attestation Engagement (SSAE 16) and, under that auditing standard, released three new reports (Secureframe):

• SOC 1 - SOC 1s are designed for organizations that outsource services that place control of financial reporting in third part hands. When doing business with a SOC 1 organization, customers can be confident that their financial information, in specific, is being handled with great care because their internal controls are air-tight.

• SOC 2 - SOC 2s expand beyond financial controls to other areas: security, availability, processing integrity, confidentiality, and privacy. These are the five Trust Service Criteria (formerly Trust Services Principles, or TSPs) on which SOC 2 is based. Organizations that handle customer data will want a SOC 2 certification.

• SOC 3 - SOC 3s are similar to SOC 2s but are less formal, less detailed reports. They are designed to be widely distributed to the public and were often used for marketing, but they don’t outline any test results or opinions, like a SOC 2. 

Both SOCs 1 and 2 have two types. Type I is a report on the overall design of policies and procedures in one evaluation, but Type II documents its effectiveness over time, requiring an ongoing evaluation for 6 months, at least. 

What’s in it for customers?

We chose SOC 2 Type II not only to provide a sense of security for customers but also to better meet their needs. Early on, companies requiring the highest level of security would opt for our self-hosted platform—which can be configured to completely eliminate MR access—but this isn’t the answer for everyone. While private hosting is extremely secure, it requires support resources not all of our customers can spare. 

Whether you host yourself or with us, you can be confident in your customer data protection: 

• Control compliance from the moment data is collected

• Collect all data within resources wholly dedicated to your organization

• Eliminate third-party tags, that almost always over-collect sensitive information, on environments that have direct access to consumer data

• Full control and visibility over who can access to your data (even MetaRouter’s, as mentioned)

• Integrate with other compliance partners (e.g. OneTrust)

Not only that but our SOC 2 policies extend beyond the security of our product but also our process, people management, credentials, etc. As with MetaRouter or any other vendor, it’s important to request a SOC 2 report. Ours will cover important areas, including:

• How we prevent unauthorized access

• Disaster recovery protocols

• Performance Monitoring

• System reliability

• Encryption of data in transportation

Outside auditors now assess MetaRouter annually to certify that we’re qualified to handle sensitive data and meet the needs of internal InfoSec teams and rigorous compliance standards for even the strictest policies. This important step of accountability validates our total commitment to putting data control back into your hands. 

To find out more, download this case study to see how a leading healthcare company stays HIPAA compliant with MetaRouter.