Sections in the Article
What is SOC 2?
System and Organization Controls (SOC) 2 is an auditing procedure developed by AICPA that defines criteria for managing various aspects of security and customer data. There are five Trust Services Criteria (TSC):
- Processing Integrity
The TSCs Security and Availability are recommend as most relevant for SaaS providers in our industry as they provide significant benefits and security for the SaaS provider and their customers (for example, management of personal data is covered by these TSCs).
Organizations are audited by 3rd party auditors like Kompleye or Deloitte with two standards (or Types) of compliance audited:
- SOC 2 Type I
- SOC 2 Type II
inRiver views SOC 2 compliance as a crucial way to demonstrate that we are a security-conscious SaaS provider that provide the highest level of trust for prospective and existing customers.
Differences in SOC 2 Type I and SOC 2 Type II
SOC 2 Type l audits measure an organization’s ability to meet the desired TSCs based on the design and implementation of its controls, policies, and procedures. Type I audits are often referred to as a “snap-shot” of an organization’s compliance to SOC 2 standards.
SOC 2 Type ll audits measure the organization’s effectiveness in applying its controls over a specific period of time (usually a year), the assessment of any possible risks, and the suitability of any plans to mitigate such risks appropriately.
inRiver’s SOC 2 Compliance
inRiver achieved its SOC 2 Type l audit on 30th September 2020.
inRiver achieved its SOC 2 Type II compliance with an Unqualified Report* for the period 1st October 2020 to 31st January 2021 across 1 production environment for the TSCs Security and Availability, in January 2021.
inRiver’s next SOC 2 Type II audit will be for the period 1st February 2021 to 31st December 2021
*Unqualified Report: this means we were fully compliant (there were no exceptions or advisory comments) and this is the best level of report an organization can achieve
Benefits for inRiver Prospective or Existing Customers?
inRiver SOC 2 Type II demonstrates inRiver’s commitment to protecting & securing our customer's data, as well as our appetite and commitment for continuous improvement of our services and the entire structure surrounding it.
With SOC 2 Type II compliance, organizations can be assured that inRiver is operating to the highest industry standards by responsibly and proactively managing the risks inherent with providing a SaaS solution.