What does it mean to be SOC2 compliant for SaaS?

On average, enterprises now leverage services from at least five cloud (AKA SaaS) providers. And with enterprises continuing to move toward cloud environments, security threats loom for everyone involved in the cloud chain – SaaS providers, app builders and app users.

SaaS providers tend to store sensitive data – including payment card details and personal identity information – so they're attractive targets for breaches and hacks.

Every SaaS provider needs to ensure they’re applying best practice security protocols, or the implications could be far reaching, as many of the 2022 security breaches showed. Everyone (big and small) is being pressure-tested.

Security breaches in 2022

On August 29, 2022, e-commerce delivery service Doordash disclosed their systems had been breached and customer data (including phone numbers, emails, and delivery addresses) had been accessed. Guess who was the culprit? One of their third-party vendors had been attacked, and the vendor’s access permissions allowed the hackers to infiltrate Doordash’s systems.

Throughout 2022 there were a slew of other attacks – with tech giants like Twilio, Twitter, Okta, private and government institutions, as well as smaller businesses falling victim. Statista’s Cybersecurity Outlook estimates that in 2022, cybersecurity breaches cost companies (across all industries) an estimated $8.44 trillion, compared to just $860 billion in 2018. And by 2027, the global cost of cybercrime is expected to surge to $23.84 trillion.

With more attacks on the horizon, companies are looking to employ preventative cybersecurity measures to keep cybersecurity costs down and avoid concerns for themselves and more importantly, their customers. That's where SOC 2 compliance comes in – it indicates that your SaaS app is resilient, protected, and ideal for security-conscious customers.

Is SOC 2 for SaaS mandatory?

SOC 2 compliance isn’t a mandatory requirement for SaaS companies, but it’s increasingly important – especially when the SaaS product is used in an industry where sensitive data (eg. financial institutions and healthcare) is stored or used. It’s highly recommended for SaaS companies handling customer data, as it assures customers their data is secure and managed according to industry standards.

Additionally, compliance can help those SaaS companies aiming to:

• Enter new markets (such as finance or healthcare)
• Move upmarket into enterprise or government segments

These types of larger customers often require SOC 2 compliance as a condition of business.

Is SOC 2 required for all third-party vendors and components?

This is a commonly asked question. The answer is ‘No.’

However, being SOC 2 compliant gives your clients’ an assurance that you’re committed to security and to protecting the privacy of any data that you hold, or pass through your software.

Another way of viewing SOC 2 compliance, is that you're helping customers mitigate their risk by working with a vendor who’s already familiar with and following respected security standards. Through a security lens, this positions you as a more favorable vendor when compared to a non-SOC 2 compliant vendor.

SOC 2 compliance requirements

The SOC 2 standard consists of compliance requirements that are grouped under five main categories, also known as trust principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The SOC 2 trust principles

1. SOC 2: Security category

Requires organizations to implement reasonable and appropriate security measures to protect their systems and data from unauthorized access and malicious attacks.

This may include the use of:

• Firewalls
• Encryption, and
• User authentication.

2. SOC 2: Availability category

Requires organizations to maintain their systems, so they're available and functioning at an acceptable level.

This may include the use of:

• System backups
• Disaster recovery plans, and
• Regular maintenance.

3. SOC 2: Processing Integrity category

Requires organizations to ensure their systems are processing data accurately and securely. This may include the use of:

• Access controls, and
• Audit trails.

4. SOC 2: Confidentiality category

Requires organizations to ensure their systems are properly protecting sensitive data. This may include the use of:

• Access controls
• Encryption, and
• Access logs.

5. SOC 2: Privacy category

Requires organizations to ensure their systems are properly protecting their customers' personal information. This may include the use of:

• Data retention policies
• Customer consent forms, and
• Data breach procedures.

SOC 2 audit process

Step 1

Initial security audit

The process begins when an organization requests an audit from a qualified third-party auditor. They review the organization’s existing controls and policies and provide a detailed report on their evaluation of their effectiveness.

The auditor also recommends ways to improve any deficiencies found.

Once those recommendations are complete, the company must submit a report of the improvements to the auditor, who then issues them SOC 2 Compliance.

Step 2

Ongoing security audits

A SOC 2 audit report is valid for 12 months, which means to maintain compliance, organizations should perform a review audit at least once per year. These reviews demonstrate that the provider’s security and privacy controls are up-to-date and effective.

What’s the cost and complexity of achieving SOC 2 compliance?

Historically, hiring a consultant to perform an audit, identify gaps, and build out policies was prohibitively expensive for many SaaS companies.

However, in recent years companies like OneTrust have developed self-serve auditing tools and pre-built policies that allow organizations to perform much of the work themselves – thus lowering the barrier to achieve SOC 2 compliance.

SOC 2 and TinyMCE

At Tiny, we take our belief that ‘a chain is only as good as its weakest link’ very seriously. That's why we're constantly seeking new ways to improve the security of our products and customers' data.

TinyMCE is the only editor on the market that:

• Publishes security advisories
• Provides a content security policy
• Has XSS security documentation
• Has CORS documentation, and
• Offers asymmetric JWT signing for cloud services.

There’s also dedicated channels for customers and the community to notify our engineers of vulnerabilities and to be notified when fixes are available. Despite all this, we’re not resting until our security measures are considered SaaS gold standard.

TinyMCE‘s SOC 2 compliance

By the end of 2023, expect TinyMCE to be fully SOC 2 compliant – making our rich text editor the only commercially available rich text editor that’s maintained by a SOC 2 compliant entity.

If you're serious about offering next-generation rich text editing within your app and want to partner with a vendor that cares about security as much as you do, let's chat.