When you launch a data protection and management startup, one of the most important priorities is to hold your product, people, and business processes to the highest standards around information security. Not only is it expected by most customers, but it’s the kind of culture you should drive internally. Your data protection product comes with risks that you’re expected to manage continuously.
“Protecting our product, customers, and employee data is the most important objective.”
Therefore, we started the Revyz Security & Compliance program from day 1. Our people understand that customer data protection is a top priority. Our product is built with dozens of security controls from the ground up.
Today, we’re excited to announce that Revyz is now SOC2 Type II compliant.
What is SOC 2 Type II Compliance?
SOC 2 stands for Systems and Organization Controls 2. It was created by the AICPA in 2010. SOC 2 was designed to provide auditors with a framework for evaluating the operating effectiveness of an organization’s security protocols.
The SOC 2 security framework covers how companies should handle customer data that’s stored in the cloud. At its core, the AICPA designed SOC 2 to establish trust between service providers and their customers. SOC 2 refers to both the security framework and the audit that checks whether a company is compliant with SOC 2 requirements.
SOC 2 defines requirements to manage and store customer data based on five Trust Services Criteria (TSC):
- Processing integrity
During a SOC 2 audit, an independent auditor will evaluate a company’s security posture related to one or all of these Trust Services Criteria. Each TSC has specific requirements, and a company puts internal controls in place to meet those requirements.
The Security TSC is always included in a SOC 2 audit, while the other four are optional.
Security is also referred to as the Common Criteria, since many of the security criteria are shared among all of the Trust Services Criteria.
What is a SOC 2 Audit?
Controls and compliance reports are unique to every organization. Each company designs its own controls to comply with its Trust Services Criteria. An independent auditor is then brought in to verify whether the company’s controls satisfy SOC 2 requirements. After the audit, the auditor writes a report about how well the company’s systems and processes comply with SOC 2. There are two types of reports that an auditor provides after their evaluation, Type I or Type II.
What is the difference between SOC 2 Type I and Type II?
A SOC 2 Type I report evaluates a company’s controls at a point in time. It answers the question: are the security controls designed properly?
A SOC 2 Type II report assesses how those controls function over a period of time, generally a minimum of 3 months. It answers the question: do the security controls a company has in place function as intended?
We at Revyz decided to go for the more stringent Type II report as it helped prove to ourselves that the controls we put in place were being followed as intended.
Our SOC 2 Type II Journey
To become SOC 2 Type II compliant, Revyz not only needed the right technology in place, we also needed strict processes as well. This audit assured us that we had implemented the proper controls to protect the security, confidentiality and availability of our systems and data we protect. Some of the key tools that enabled us to achieve SOC 2 compliance are Jira & Confluence. We used Confluence to document our processes and Jira to actually follow the processes. These processes could be for on-boarding new teammates or documenting change management. Having a record of all the changes done, living in Jira was super helpful in proving to ur auditors the processes we were following.
While we went through documenting and following the processes, we also realized our own Jira backup & restore service is a critical element in enabling other SOC 2 compliance for others just based on the functionality we offered, in summary if anyone is using Jira to document the change management processes, it is imperative that they backup their Jira data as it contains change management data needed by auditors.
The SOC 2 audit evaluated all aspects of service delivery. It also evaluated whether our data is properly secured from unauthorized access and modification. This means that your data is safe with Revyz.
Our SOC 2 Type II auditor from Sensiba San Filippo examined our systems from every angle to ensure the security of our approach. The report verifies that Revyz has implemented appropriate security measures in accordance with industry best practices.
A few of the things we're committed to going forward:
- Periodic third-party penetration testing
- Participating in the Atlassian marketplace bug bounty program
- Participating in the Atlassian Cloud Fortified program
- Regular vulnerability scanning of our infrastructure
- Strict code quality and mandatory security reviews
- Stringent SOC 2 compliance vetting for all critical vendors
- Enforcement of best security practices across the Revyz org
To help us with this process, we've enlisted Secureframe to automate parts of the process and streamline the data collection needed to pass the compliance checks. Secureframe helps us to monitor our SOC 2 controls and provides a real-time dashboard of our status. It notifies us of any potential risks so that we can react quickly.
More than just SOC 2
Becoming SOC 2 compliant is just one piece of our commitment to being the first Atlassian native data protection and management vendor in the market. We offer a full suite of features and functionality that provides the necessary data protection, security, configurability, and control that enterprise customers have come to expect. While many companies invest in getting their SOC 2 compliance later in their journey, we decided to prioritize it early because we know it's important to you, our customers. Achieving this compliance provides peace of mind for both ourselves and for our customers.