DEV Community

Cover image for How to get SOC 2 Certified
Nočnica Mellifera for RudderStack

Posted on

How to get SOC 2 Certified

cover image: Ninad Chitnis, CC BY-SA 4.0

What is Soc 2?

SOC 2 is an audit conducted by third-party certified auditors who check an organization on five trust principles and is considered the Gold Standard for security compliance. This audit process and certification is developed by the American Institute of CPAs (AICPA).

Why should you get certified?

If you deal with highly sensitive customer data (such as financial companies), the SOC 2 certification makes your life easier and reduces your effort in auditing your company before buying. The certificate means that we follow industry-standard security compliance for your sensitive data.

How did do you do it?

Obtaining SOC 2 certificate means ensuring each employee, as well as each piece of infrastructure, adheres to the guidelines as suggested by AICPA.

The human side: training

At Rudderstack, we needed to get every single person on the team to have the knowledge necessary to maintain security.

To get started, each person from the RudderStack team (all of our teams - engineering, sales, marketing, content, etc.) completed online training with modules on security concepts, threats, best practices, and protocols. After each module, there were multiple-choice knowledge tests that we all had to pass.

Once the training was complete, each employee had to ensure their work machines and accounts were protected using antivirus software, password protectors, and two-factor authentication.

Finally, each RudderStack employee agreed to the terms and conditions for keeping all data secured.

The Infrastructure

Securing the infrastructure of our production environment is crucial in obtaining the SOC 2 certification. The production environment cannot have public/unauthorized access, and access control is of ultimate importance.

To protect our production environment, we used Vanta agents that help monitor vulnerabilities on infrastructure machines.

After securing the machines, the next was code-level security. For GitHub and AWS access control, we enforced two-factor authentication.

The final task was to secure the communications. We secured our GSuite with two-factor authentication.

What it means

To read about what this certification means for Rudderstack and our team, read our full post on how we got there.

Top comments (0)