A recent study conducted by The Harris Poll revealed that 60% of consumers around the globe are more concerned about cybersecurity than a possible war. With instances of data breaches steadily increasing and consumer fear on the rise, the need to provide secure and compliant service is more imperative than ever.

As specialists in regulated industries, the team at Sepire offers our clients unconditional peace of mind that their data is secure. It is our mantra that “our clients’ data is sacrosanct”. This pledge goes beyond a service commitment; it is fortified by our SOC 2 certification. 

SOC 2 Explained

In short, SOC (System and Organization Controls) 2 is a system that applies to SaaS and technology service companies that store customer data in the cloud to guarantee that the organizational standards and practices adequately protects the privacy and security of client data. The regulations that form part of the SOC 2 system, were outlined by AICPA (American Institute of Certified Public Accountants) in order to control the security processes followed by service providers who store and process client data.

SOC 2 is based on five Trust Service Principles:

  1. Security

Is the service provider’s system protected from unauthorized access? This can be done by putting in place strict access controls and a robust IT security infrastructure.

  1. Availability

How accessible are the vendor’s services and systems? Does the vendor adhere to SLAs and keep an eye on network traffic and performance? It is important that vendors have a breach response plan in place to ensure service is not interrupted and security not compromised during network outages.

  1. Processing Integrity

Do the service provider’s data processing operations work as they should?  To comply with this principle, the organization’s system must be complete, accurate, deliver on time and be free from unauthorized access.

  1. Confidentiality

Does the service provider handle private, confidential data securely? It is important that vendors have a comprehensive overview of the data they work with, as well as where it resides. Confidential data should be correctly identified and tracked, and access thereof limited to the intended audience.

  1. Privacy

Does the service provider have a privacy policy that clearly specifies how data is collected, used, retained, disclosed and disposed? This measure refers to an organization’s ability to protect personally identifiable information from unauthorized access.

For a company to achieve SOC 2 compliance, they must be able to show that (1) they have standards and systems in place that protect the security, availability, integrity, confidentiality, and privacy of customer data and (2) that they are in fact operating according to those established requirements. There are two types of SOC 2 reports: Type 1 and Type 2.

The Type 1 audit report details whether a service provider’s systems are suitably designed to  meet the relevant trust principles at a specific date or moment in time. A Type 2 report dives much deeper to provide a comprehensive assessment of how a service provider’s systems work in practice – whether they’re operating as designed – over a six to 12-month period.

Sepire is SOC 2 Type 2 compliant. Our company undergoes an annual audit by independent third party auditors to assess the efficiency of our data management policies and procedures. This more in-depth report offers existing and prospective clients a much deeper level of assurance and confidence in how we handle sensitive data in practice.

Benefits of SOC 2 Audit

  1. It affords the service provider a high level of credibility and trustworthiness. This is without a doubt the greatest advantage of the audit for Sepire, being able to provide our clients with complete peace of mind that the security of their data is in competent hands.
  2. The audit report provides an effective means of communicating with stakeholders and saves a large amount of time when filling out vendor questionnaires during audits.
  3. The report offers organizations a clear snapshot of how effective their processes and controls are.
  4. SOC 2 constitutes a good foundation for a compliance program.
  5. A SOC 2 compliant service provider will have a competitive advantage over vendors who have not invested in an audit – it allows you to confidently brand your organization as one that adheres strictly to security protocol.  
  6. Cost-effectiveness. Those who disagree will do well to compare the cost of a SOC 2 audit with that of a single data breach!

We work with a significant number of clients in the healthcare space – an industry especially targeted by cyber attacks. As part of our ongoing commitment to secure client data and attain the highest level of security for the management of private health information (PHI), Sepire is currently in the process of obtaining a HITRUST certification.