Our customers at Affinity trust us with some of their most important data. Because of that, security has always been the top priority for our product and engineering teams. As part of our commitment to security, we're proud to announce that we recently obtained our SOC 2 Type II attestation report.
What's SOC 2?
SOC stands for "System and Organization Controls", and is a framework governed by the American Institute of Certified Public Accountants (AICPA).
For SOC 2, AICPA has defined five Trust Services Criteria (TSC) that service organizations can choose to meet: Security, Availability, Processing Integrity, Confidentiality, and Privacy. All SOC 2 reports must cover Security. In addition to Security, service organizations can choose to add additional criteria to their report based on what's most relevant to their business.
Once the TSCs have been chosen, the service provider must define controls to ensure that those criteria are met. For instance, to meet the Security criterion, a service provider might define a control that requires access to all sensitive internal systems to be protected by multi-factor authentication.
In preparing a SOC 2 report, a third-party CPA firm evaluates two main questions. First, are the controls adequate and appropriately designed to address the selected TSCs? And second, are the controls actually operating effectively in the day-to-day practices of the service organization?
Type I vs Type II reports
Under the SOC 2 framework, there is both Type I and Type II reports.
A Type I SOC 2 report is a point-in-time report. To issue a Type I report, a CPA firm evaluates the controls in place at a service organization and evaluates whether they're appropriately designed and implemented effectively at a single point in time.
A Type II SOC 2 report, on the other hand, covers a significant period of time (generally at least six months). To issue a Type II report, a CPA firm not only evaluates the design and implementation of a service organization's controls but also evaluates whether the controls were operating effectively over the entire audit period.
For example, an organization might have a control that states that all product and infrastructure changes must be reviewed by at least one employee other than the author of the change. For this organization, when preparing a Type II report, a CPA firm will actually draw on a large sample of changes made during the audit period and seek evidence that each of them was in fact reviewed appropriately as per the control.
Why and how we got our SOC 2 attestation
At Affinity, we chose to get a SOC 2 report for two reasons. First, we wanted to hold ourselves accountable to a rigorous framework to help ensure that we keep our customers' data safe. Second, we wanted a streamlined, standardized way to communicate our security practices to our customers.
We worked with Vanta to help define our controls and ensure they were operating effectively, and worked with Linford as the CPA firm that performed our audit.
We started by getting our Type I report in May of 2019, and recently got our first Type II report to cover the audit period from May 1 to October 31. Moving forward, we plan to renew our Type II report every year.
What about SOC 3?
SOC 3 reports are very similar to SOC 2 reports. They're governed by the same AICPA standards. When preparing a SOC 3, as with a SOC 2, a CPA firm evaluates the design and operational effectiveness of an organization's controls in addressing the chosen TSCs.
The main difference is that a SOC 2 report is intended to be a restricted-use report (generally for an organization's customers) whereas a SOC 3 report is intended be a general use report. A SOC 3 report excludes detailed information about an organization's controls and the auditor's testing methodology, but still includes a high-level overview of the auditor's opinion with respect to the effectiveness of the controls.
In addition to our SOC 2 report, we also have a SOC 3 report at Affinity - it's freely available and you can check it out here.