Privacy and security is an unbreakable duo! And we will never stop saying that. Managing a backup and data protection business, we always remember our top priority: following and ensuring the highest security standards for the products and services we develop, our customers, and our team.
After successfully completing SOC 2 Type I and ISO 27001 audits, we never thought to stop our journey to higher security standards. And now we are happy and proud to announce that in May 2023 we completed the SOC 2 Type II report which covers all information security principles, including Security, Availability, Confidentiality, and Processing Integrity. It also addresses all common COSO and information security criteria, such as Logical and Physical Access Controls, System Operations, Risk Mitigation, Change Management, and more.
It was a long journey in obtaining and complying with the SOC 2 standards, as compliance with SOC 2 is all about checks and balances. In this blog post, we’ve decided to share with you all the practical knowledge we’ve discovered along the way.
SOC 2 Type II – a brief explanation
What can be a better way to prove that customer’s data and its security is your top priority? For sure, it’s compliance with SOC 2, a framework applicable to technology and SaaS businesses that keep their customer’s data in the cloud. The standard was first launched in 2010 by the American Institute of CPAs (AICPA), and on the basis of “trust service principles,” it defines a benchmark for managing customers’ data.
It’s worth mentioning that controls and reports are varying from business to business. Thus, every company creates its unique requirements and controls to comply with its Trust Service Criteria (TSC).
Service Organization Control, that’s what SOC stands for and a report from a SOC 2 audit procedure provides details on how your service provider manages the data entrusted to it.
SOC 2 consists of two types of reports, and Xopero has completed them both:
- Type I, which defines the information security management system and evaluates its suitability in light of the checkpoints of the standard.
- Type II, which proves that the information security management system operates within security standards. To prove it, the organization provides evidence of the functioning of security measures for at least a 6-month period of time.
SOC 2 Type II – Xopero’s journey
Only outside auditors can issue a SOC 2 report. To get ready for the audit we needed to develop the right technology and IT infrastructure in place. We set up highly-stringent security procedures, instructed each team member on the security posture and top Xopero principles, and made all those processes permanent.
The auditors have carefully examined and analyzed our documentation, conducted interviews with our team members, examined websites, and, what’s more, scanned, checked, observed, and inspected our processes and infrastructure. It helped them to determine the level of information processing security in our organization and to see if we meet the requirements of TSC SOC 2 Type II.
When you work in the backup and data protection industry for almost 15 years, you understand that there is no finish line for security improvements. And we know for sure that the official report we are so proud of is just the start of our journey. Just take a look at what we are committed to and responsible for:
- keeping up with all the services within the Identify Control Management System
- identifying the risks that threaten the achievement of the control objectives and the service organization’s commitments
- designing and developing controls to mitigate those risks
- and other
And not only it! We are constantly monitoring, checking, and improving our security measures as it is our number one priority and responsibility.
SOC 2 report – what it says to our customers and partners?
In a nutshell, Xopero’s compliance with SOC 2 Type II report means that our customer’s data, its security, and protection is what we’re up to as our top priority. And it’s more than just words, it’s a formally acknowledged and verified commitment!
High-security standards like SOC 2 Type I, ISO 27001, and SOC 2 Type II are recognized all over the world attest to our security posture. Within those standards, we choose our technologies, build processes and build technological alliances.
SOC 2 Type II compliant backup software – how it improves your SOC 2 posture?
When your organization is going through its own certification path or is considering any IT solution to integrate its business processes with, the cornerstone of its choice should be picking up suppliers that operate in accordance with world-class security standards, like SOC 2 Type I, ISO 27001, and SOC 2 Type II. What’s more, it’s highly important to implement backup and data protection best practices to pass your own SOC 2 certification process. So, remember, we have got your back(up)!