What does it mean to be SOC2 compliant for SaaS?
Published May 18th, 2023
8 min read
If you're a SaaS provider, you're likely a third-3rd party vendor. And as a vendor, you’re obliged to be vigilant about security risks for your SaaS product – otherwise, you may be implicated in a customer's data breach. That's where SOC 2 compliance plays an important role – in auditing and proving your security measures.
Product Marketing at TinyMCE
On average, enterprises now leverage services from at least five cloud (AKA SaaS) providers. And with enterprises continuing to move toward cloud environments, security threats loom for everyone involved in the cloud chain – SaaS providers, app builders and app users.
SaaS providers tend to store sensitive data – including payment card details and personal identity information – so they're attractive targets for breaches and hacks.
Every SaaS provider needs to ensure they’re applying best practice security protocols, or the implications could be far reaching, as many of the 2022 security breaches showed. Everyone (big and small) is being pressure-tested.
Security breaches in 2022
On August 29, 2022, e-commerce delivery service Doordash disclosed their systems had been breached and customer data (including phone numbers, emails, and delivery addresses) had been accessed. Guess who was the culprit? One of their third-party vendors had been attacked, and the vendor’s access permissions allowed the hackers to infiltrate Doordash’s systems.
Throughout 2022 there were a slew of other attacks – with tech giants like Twilio, Twitter, Okta, private and government institutions, as well as smaller businesses falling victim. Statista’s Cybersecurity Outlook estimates that in 2022, cybersecurity breaches cost companies (across all industries) an estimated $8.44 trillion, compared to just $860 billion in 2018. And by 2027, the global cost of cybercrime is expected to surge to $23.84 trillion.
With more attacks on the horizon, companies are looking to employ preventative cybersecurity measures to keep cybersecurity costs down and avoid concerns for themselves and more importantly, their customers. That's where SOC 2 compliance comes in – it indicates that your SaaS app is resilient, protected, and ideal for security-conscious customers.
SOC 2 compliance meaning
SOC 2 is an acronym for System and Organization Controls 2, and compliance means that the organization has been audited and shown to be maintaining the information security standard developed by the American Institute of Certified Public Accountants (AICPA).
The standards prescribe certain criteria that organizations must meet, and they must also demonstrate that they maintain an ongoing system of internal controls over:
- Confidentiality of their customer data.
Similar to how the respected ISO standards are considered “...a formula that describes the best way of doing something”, SOC 2 is the most respected set of auditing standards used to evaluate and report on service organizations' internal controls or processes.
What’s the importance of SOC 2 for SaaS?
SOC 2 compliance is used to assess the trustworthiness of a service (such as a SaaS provider) and shows they’re following best practices when it comes to data security. It’s become an important item on any software evaluation checklist, especially when that software handles customer data.
Organizations also benefit from SOC 2 compliance, through the trust and credibility it builds with their customers.
What’s the key difference between ISO 27001 and SOC 2 compliance?
The key difference is that SOC 2 compliance is not a certification.
By contrast, if you pass the exacting ISO 27001 requirements, then your business is ISO 27001 certified.
Additionally, SOC 2 primarily focuses on proving you've implemented security controls to protect customer data, whereas ISO 27001 requires that you prove you have an operational Information Security Management System (ISMS) to continually manage your InfoSec program.
Is SOC 2 for SaaS mandatory?
SOC 2 compliance isn’t a mandatory requirement for SaaS companies, but it’s increasingly important – especially when the SaaS product is used in an industry where sensitive data (eg. financial institutions and healthcare) is stored or used. It’s highly recommended for SaaS companies handling customer data, as it assures customers their data is secure and managed according to industry standards.
Additionally, compliance can help those SaaS companies aiming to:
- Enter new markets (such as finance or healthcare)
- Move upmarket into enterprise or government segments
These types of larger customers often require SOC 2 compliance as a condition of business.
Is SOC 2 required for all third-party vendors and components?
This is a commonly asked question. The answer is ‘No.’
However, being SOC 2 compliant gives your clients’ an assurance that you’re committed to security and to protecting the privacy of any data that you hold, or pass through your software.
Another way of viewing SOC 2 compliance, is that you're helping customers mitigate their risk by working with a vendor who’s already familiar with and following respected security standards. Through a security lens, this positions you as a more favorable vendor when compared to a non-SOC 2 compliant vendor.
The difference between SOC 1 and SOC 2
Like ISO standards, each SOC standard has a different set of criteria that organizations must meet to achieve compliance.
SOC 1 – Finance
The SOC 1 standards were established to ensure organizations maintain:
- Strong internal controls, and
- Protect the integrity of financial reporting.
To achieve SOC 1 compliance, the organization must have had a third-party auditor review their financial reporting processes and procedures to ensure accuracy and consistency.
SOC 2 – Security and privacy
SOC 2 compliance focuses on security and privacy standards based on the AICPA's Trust Services Principles. Those standards ensure that all SOC 2 compliant organizations take ongoing action to protect their customer data and that they comply with the required security and data privacy controls.
As with SOC 1, SOC 2 compliance requires third-party auditing and it’s frequently considered a mandatory requirement for organizations that handle sensitive customer data – such as financial institutions and healthcare organizations.
SOC 2 compliance requirements
The SOC 2 standard consists of compliance requirements that are grouped under five main categories, also known as trust principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The SOC 2 trust principles
1. SOC 2: Security category
Requires organizations to implement reasonable and appropriate security measures to protect their systems and data from unauthorized access and malicious attacks.
This may include the use of:
- Encryption, and
- User authentication.
2. SOC 2: Availability category
Requires organizations to maintain their systems, so they're available and functioning at an acceptable level.
This may include the use of:
- System backups
- Disaster recovery plans, and
- Regular maintenance.
3. SOC 2: Processing Integrity category
Requires organizations to ensure their systems are processing data accurately and securely. This may include the use of:
- Access controls, and
- Audit trails.
4. SOC 2: Confidentiality category
Requires organizations to ensure their systems are properly protecting sensitive data. This may include the use of:
- Access controls
- Encryption, and
- Access logs.
5. SOC 2: Privacy category
Requires organizations to ensure their systems are properly protecting their customers' personal information. This may include the use of:
- Data retention policies
- Customer consent forms, and
- Data breach procedures.
SOC 2 audit process
Initial security audit
The process begins when an organization requests an audit from a qualified third-party auditor. They review the organization’s existing controls and policies and provide a detailed report on their evaluation of their effectiveness.
The auditor also recommends ways to improve any deficiencies found.
Once those recommendations are complete, the company must submit a report of the improvements to the auditor, who then issues them SOC 2 Compliance.
Ongoing security audits
A SOC 2 audit report is valid for 12 months, which means to maintain compliance, organizations should perform a review audit at least once per year. These reviews demonstrate that the provider’s security and privacy controls are up-to-date and effective.
What’s the cost and complexity of achieving SOC 2 compliance?
Historically, hiring a consultant to perform an audit, identify gaps, and build out policies was prohibitively expensive for many SaaS companies.
However, in recent years companies like OneTrust have developed self-serve auditing tools and pre-built policies that allow organizations to perform much of the work themselves – thus lowering the barrier to achieve SOC 2 compliance.
SOC 2 and TinyMCE
At Tiny, we take our belief that ‘a chain is only as good as its weakest link’ very seriously. That's why we're constantly seeking new ways to improve the security of our products and customers' data.
TinyMCE is the only editor on the market that:
- Publishes security advisories
- Provides a content security policy
- Has XSS security documentation
- Has CORS documentation, and
- Offers asymmetric JWT signing for cloud services.
There’s also dedicated channels for customers and the community to notify our engineers of vulnerabilities and to be notified when fixes are available. Despite all this, we’re not resting until our security measures are considered SaaS gold standard.
TinyMCE‘s SOC 2 compliance
By the end of 2023, expect TinyMCE to be fully SOC 2 compliant – making our rich text editor the only commercially available rich text editor that’s maintained by a SOC 2 compliant entity.
If you're serious about offering next-generation rich text editing within your app and want to partner with a vendor that cares about security as much as you do, let's chat.
Product Marketing at TinyMCE
A former developer, John works on the Marketing team at Tiny. When he's not spreading the word about TinyMCE, he enjoys taking things apart and *trying* to put them back together (including his house and anything else that looks interesting).