Subscribili is Now SOC 2 Type II Compliant

What is SOC 2 Type II & Why is it Important?

SOC 2, or Service Organization Controls 2, is a framework governed by the American Institute of Certified Public Accountants (AICPA). During a SOC 2 audit, an independent service auditor reviews an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC 2 report communicates a company’s commitment to data security and the protection of customer information. A type II audit involves monitoring the companies policies and procedures over the course of a three month period, addressing the suitability of the design and operating effectiveness of your organization's controls over time.

Improving Your Security Posture

SOC 2 compliance exemplifies an organization’s commitment to its customers' trust and is a major milestone toward improving overall security posture. With increasing cybersecurity threats and data breaches, it is paramount that organizations prioritize information security and the protection of their systems and data. By undergoing a SOC 2 audit, our controls and processes were validated by a third-party who attested to the effectiveness of the controls relevant to our company and product.

Why We Pursued SOC 2 Now

SOC 2 compliance is an integral step in proving to customers, stakeholders, and interested parties that our organization values their trust and has effectively implemented security controls. At our company’s stage, we realized that it was an ideal time to pursue this as it is important to protect data and mitigate potential security risks early and on an ongoing basis.

Key Points:

1. Building Trust as We Grow: As a rapidly expanding company, we prioritize earning and maintaining the trust of our customers, particularly when it comes to safeguarding sensitive patient data.

2. Security Posture Commitment: As a growing company, we are deeply committed to continuously enhancing our security posture.

3. SOC 2 Compliance Goals: Achieving SOC 2 compliance underscores our dedication to maintaining high security standards.

4. SOC 2 Certification: We successfully received our SOC 2 Type II report on June 10, 2024 and are committed to renewing our SOC 2 certification annually.

5. Customer Assurance: This ongoing commitment ensures we meet and exceed industry standards, providing our customers with the assurance that their data is secure with us.

Subscribili’s Journey to SOC 2 Type II Compliance

One key takeaway is understanding that improving our security posture and achieving compliance is a monumental task. This can be made easier with the right compliance partners but requires dedicated focus and time from the organization. 

We also found it important to review the audit timeline with partners, set an ideal audit date, and then work backward to be ready in time. However, now that controls are implemented and security is a priority for our team, subsequent SOC 2 audits will be even more seamless.

Lessons We Learned

1. Start the Process Early:

• It is easier to implement policies earlier rather than later. Large organizations that have put this off often struggle to align the entire organization and audit readiness becomes a Herculean effort.
• Defining policies and procedures in addition to technology infrastructure are key components of a successful security program.

2. Improving Security and Achieving Compliance Can Help Scale Your Business:

• Vendor security reviews are highly requested in sales cycles and SOC 2 can help unblock that business.
• Mitigating risk early will protect your business and earn the trust of prospects and customers.

3. Knowing Your Stakeholders in the Compliance Process:

• Deciding which internal stakeholders are needed for policies, procedures, and engineering tasks.
• Your entire organization will be involved in improving security and adhering to procedures.

4. The Right Partners Are Key:

• Finding a tool to guide you through the process and help keep you compliant is of paramount importance.
• Partnering with an audit firm familiar with this tooling and that is dedicated to your success makes things much smoother.

5. Focus on Improving Security Posture, Not Checking Boxes:

• Compliance is not one-size-fits-all.
• Security is a continuous project that should be prioritized in an organization.

Overall, embarking on our SOC 2 journey was admittedly a bit nerve wracking at first, but by leveraging tools and and methodically working through the process while the company is still relatively early in its growth, we were able to establish a strong foundation and ensure a secure and reliable company moving forward.