SOC2: Why we did it and what we learned

At Violet we like to say that we do the hard stuff so you don’t have to. We bring that kind of rigor and quality commitment to everything we do. 

After months of audits, pen tests, and security updates, we’re pleased to announce that we have just received our Type II SOC2 Certification for Availability and Security.

What is SOC2

While it's an oft-mentioned acronym, the specifics of SOC2 aren't as well known as we thought, even within different parts of our own non-engineering team. What is SOC2, you ask? 

SOC2 compliance is one of the most important compliance certifications for tech companies in North America. It’s given through an independent auditing process that evaluates a company across one or several of five main areas:

  • Availability: Is your company’s product consistently available? Are you able to reliably prevent outages and avoid latency?
  • Security: Can your company ensure personal data is protected? Can you effectively prevent unauthorized access?
  • Privacy: How does your company maintain, store, and dispose of personal information?
  • Processing Integrity: How does your company balance maintaining the integrity of client data with efficient, convenient processes?
  • Confidentiality: What processes does your company have for protecting confidential information?

Companies that pursue SOC2 Compliance usually begin by targeting one to two areas that are most crucial to their business and customers. Proof of this audit and compliance come in the form of a SOC2 report. 

Regardless of the area, SOC2 certification is also broken into two types: Type One, which is the initial report that shows a company is in the process of obtaining compliance, which only proves that a company has the correct policies and procedures in place, and Type Two, which confirms that a company has gone through the required process, passed their SOC2 audit, and are in fact effective at preventing security and compliance breaches.  

Why now

During our SOC2 certification process we were frequently asked, “Why is an early stage start-up like Violet investing in SOC2?” Most start-ups don’t bother with the process until much later in their growth. SOC2 certification can be expensive and time-consuming, and typically only worthwhile for mature enterprises. 

But at Violet, we’re already working with multiple large, enterprise customers for whom SOC2 is critical. For us and for our customers, top-notch security isn’t just a nice to have: it’s non-negotiable.

What we did

When we kicked off the process last year, we decided specifically to prioritize the two types of SOC2 certification that would have the most impact for our customers (and for their customers): availability and security

Partnering with Vanta proved to be extremely helpful. They helped us streamline the process by automating the collection of most of the evidence we needed to prove our compliance, and provided clear guidance for and one place to upload the rest. 

Over the course of a few months, we worked diligently with Vanta to walk through the checklist of documentation, and data necessary for the audit, pausing when an item required us to update or advance our current systems, processes, or documentation. 

We also conducted a penetration through HackerOne, one of these most reputable and trusted names in pen tests today. While we could have  opted for a less rigorous penetration test, we knew Hacker One’s reputation and wanted to hold ourselves to the highest possible standard with our customer data: with personal data and security, we knew “good enough” simply wasn’t.. 

On March 22, 2022, after many months of gathering, evaluating, troubleshooting, and improving our systems, and great indebtedness to Vanta, AWS, and HackerOne, we received our SOC2 Type II Compliance report that declared us SOC2 Type II certified. 

What we learned

While SOC2 compliance may not be a top priority for many early stage start-ups, it’s never too early to start preparing for it. Getting SOC2 compliance as early as possible has helped position Violet as a viable partner for enterprise scale clients, and proves to potential customers that we value and invest in the security and quality of our product. 

For other start-ups considering this process or about to embark on it, here are our top three takeaways that we hope will help others do their part to protect security online:

Do your research / know your customers

One of the benefits of SOC2 compliance is that it allows companies to focus on the areas that matter most to their customers and make the most sense with their business model. Having conversations with current or potential customers about what they require will help target your efforts towards the compliance measures that matter most to your business. 

Find the right partners

One of the reasons we were able to pursue SOC2 compliance soon after sealing our Series A funding was because we partnered with Vanta. Between their ability to automate the collection of certain data and documentation, their ability to integrate with our cloud service provider AWS, and their unwavering guidance for all pieces of the process they couldn’t automate, a mountain of work became a much more manageable climb for our engineers. 

It’s never too early to start

Everyone can begin to prepare for SOC2 compliance, whether or not they’re ready to begin in twelve days or twelve months. A few of the things we quickly realized could be taken care of early include: 

  • Google Workspace: Whatever single sign-on (SSO) or identity & access management (IAM) provider you use, make sure you’re set up not only to create accounts but also delete them, and link those procedures to the requisite onboarding and off-boarding alerts. 
  • AWS: Utilizing cloud providers like AWS/GCP/Azure will streamline the SOC2 process, so partners like Vanta will be enabled to connect directly to your systems and analyze your configuration. Using less-known cloud providers or on-premise solutions will likely lead to a more complex SOC2 process.
  • MFA: Multi-factor authentication (MFA) should be enabled and enforced anywhere it’s available. This provides an immediate layer of additional security to critical applications and will become a requirement when the SOC2 process is started.
  • Endpoints: Ensure that all desktops, laptops, and mobile devices for your staff are secured with anti-viral/malware tools. Additionally, these devices should be secured behind a private virtual network.

With our SOC2 Type II report in hand (eerrr...in the cloud behind encryption and MFA) we’re now very excited to grow with some very large customers and to engage in deeper conversations with potential partners, knowing that we can offer scalable, certified assurance for our partners.