We did it: Xopero is SOC 2 compliant!

Why do people trust a company or a third party when it comes to customers’ data storage? What identifies a company as a trusted or untrusted one? How can a company that deals with confidential data show that it is reliable and worth customers’ attention without pronouncing a word? The answer is SOC 2.

SOC 2 is a bunch of regulations and requirements that are aimed to eliminate the risk and exposure to the data the company stores. 

And if you have a question whether Xopero Software is compliant with SOC 2 type I. Then, we are happy to say that YES! It was a long process of checks of different kinds, but we strongly withstood it. We have been thoroughly checked and audited in four categories: Security, Availability, Processing Integrity, and Confidentiality so you can be sure we met all world-class level standards.

So, let’s figure out what we know about SOC 2 and why it is important for us. 

What is SOC 2 and why is it a key feature for cloud and third party providers?

Well, first, let us tell you a little bit about the history of SOC 2 to see why this compliance became such an essential target for us. So, SOC 2 was developed by the American Institute of Certified Public Accounts somewhere in 2010 and is designed for service providers which store customer data in the cloud, and Xopero Software stores the data! For 4 years cloud vendors were allowed to meet only SOC 1 compliance requirements, however, in 2014 everything changed, and since that time all those who position themselves as the most reliable and trustworthy providers must sustain the SOC 2 compliance. 

AICPA built the compliance on five “pillows” which include Security, Availability, Processing integrity, Confidentiality and Privacy. Under each of these terms there hide high safety criteria. 

Security, as the first resort

Thus, Security means that the company uses IT precautions to protect all the information and the system from unauthorized access. Which measures? It is up to a company to decide, there can be two-factor authentication, firewalls or any other way to keep the data secure. 

Availability is your virtue

Under Availability we see sustainability to any potential threat… external ones. So to say, the company controls operations, maintenance and monitoring of the software infrastructure. 

Processing Integrity, as a must

This criterion proves that the company can guarantee all the functions work properly and smoothly – there are no delays, errors, unauthorized manipulations or omissions. 

Confidentiality increases honesty 

This feature is more related to the company data than to the customers’ one, because under Confidentiality we understand that the company protects all the confidential information, such as business plans or intellectual property documents. 

Privacy, as a key feature

This feature ensures that all the personal information should be collected and used meeting all the security measures. So, that it won’t be disposed of anywhere anytime.

What does SOC 2 Compliance mean to our customers?

Becoming a SOC 2 compliant, we guarantee our customers’ data security. How? Let’s see. To complete the SOC 2 Audit every company should be questioned to different checks and meet all the compliance requirements. Thus, we see continuous security monitoring and host-based monitoring, alerting procedures and audit trails as a MUST. So, let’s step-by-step look at these stages. 

Continuous security monitoring

We have established process and procedure practices to monitor unusual system activity,  system configuration changes from authorized and unauthorized users and their access levels. Thus, it has become easier to detect any potential threats that can come from both internal and external sources, as we always know what happens with our cloud infrastructure. 

Alerting procedures

Nowadays threats are everywhere and if any security incident happens it’s essential to have sufficient alerting procedures. Under SOC 2 requirements, we set up alerts for any activities related to unauthorized data exposure or/and modification, the same concerns controls and configurations. Moreover, there are alerts for file transfer activities, login or account access. Thus, we have an algorithm of actions to prevent data loss or of them being compromised.

Audit trails 

It is vital to know the root when a problem arises. Otherwise, how will you understand the point in time when and how you need to respond to a problem and start recovery actions? Thus, the audit trails are the best method to see the insight you need to perform the security operations. It can include modifications, addition or removal of crucial system components, data unauthorized modifications, the volume of the disaster and the point of source. 

Host-based monitoring

It is important not only to know when the problem occurs, but it is more vital to know what corrective actions should be taken – we see that it is one of the key issues for our customers. Hence, we have procedures on what to do in any of the problems, including outages, disasters, etc. For us both MTTD (Mean Time To Detect) and MTTR (Mean Time To Remediate) are principal issues.  

What does SOC 2 mean for Xopero Software?

We understand that once we become SOC 2 type I compliant, it doesn’t mean that everything is over. It is just the beginning of our security trip (type II is just around the corner). It doesn’t matter how strong the security is, there always exist methods to improve it. 

For now we know that all our customers are well-protected and can work with peace in mind, as we do our best to make their automated backups and recovery procedures as fast and reliable as possible.