We are thrilled to announce that RudderStack is now SOC 2 Type 1 certified. This certification is a key milestone for us. One that helps you ensure that we are protecting your customer data while helping you gain business insights. This blog talks about the importance, need, and steps we followed to obtain the SOC 2 Type 1 certification.
What is SOC 2?
SOC 2 is an audit conducted by third-party certified auditors who check an organization on five trust principles and is considered the Gold Standard for security compliance. This audit process and certification is developed by the American Institute of CPAs (AICPA).
As per Truvantis, “SOC 2 (System and Organization Controls 2) is a type of audit report that attests to the trustworthiness of services provided by a service organization. It is commonly used to assess the risks associated with outsourced software solutions that store customer data online.”
Why did RudderStack go Through the SOC 2 Audit?
RudderStack is a smart customer data pipeline that connects your entire data stack and carries customer data throughout. Even though we don’t persist any customer data, our clients trust us with the sensitive data that flows through our systems. RudderStack protects customers’ PII (Personally Identifiable Information) using PII detection and masking code.
Note: Read more on how RudderStack protects PII in this article.
If you deal with highly sensitive customer data (such as financial companies), the SOC 2 certification makes your life easier and reduces your effort in auditing RudderStack before buying. The certificate means that we follow industry-standard security compliance for your sensitive data.
How did we do it?
Obtaining SOC 2 certificate means ensuring each employee, as well as each piece of infrastructure, adheres to the guidelines as suggested by AICPA.
The RudderStack Team
To get started, each person from the RudderStack team (all of our teams - engineering, sales, marketing, content, etc.) completed online training with modules on security concepts, threats, best practices, and protocols. After each module, there were multiple-choice knowledge tests that we all had to pass.
Once the training was complete, each employee had to ensure their work machines and accounts (GitHub, e-mail, and so on) were protected using antivirus software, password protectors, and two-factor authentication.
Finally, each RudderStack employee agreed to the terms and conditions for keeping all data secured.
Securing the infrastructure of our production environment is crucial in obtaining the SOC 2 certification. The production environment cannot have public/unauthorized access, and access control is of ultimate importance.
To protect our production environment, we used Vanta agents that help monitor vulnerabilities on infrastructure machines.
After securing the machines, the next was code-level security. For GitHub and AWS access control, we enforced two-factor authentication.
The final task was to secure the communications. We secured our GSuite with two-factor authentication.
Consistency is the Key
Security cannot be a one-off activity; consistency is the key here. We are committed to offering a secure customer data pipeline for all of our customers. We not only collect customer data securely but also maintain security throughout. This SOC 2 certification vouches for all the efforts we take to secure customer data, and our consistency in this area will be audited and proven as we work to attain our SOC 2 Type 2 certification.
Try RudderStack Today
If you haven’t already, sign up for RudderStack Free today. Start using a smarter customer data pipeline that builds your customer data lake on your data warehouse. Use all your customer data. Answer more difficult questions. Send insights to your whole customer data stack.
Join us on Slack to chat with our team, explore our open source repos on GitHub, subscribe to our blog, and follow us on our socials: Twitter, LinkedIn, dev.to, Medium, YouTube. Don’t miss out on any updates. Subscribe to our blogs today!