If you are working with a good legal technology provider that specializes in document automation software or contract management, they must have mentioned to you a time or ten about being SOC 2 Type 2 certified. In fact, do you remember how 6 months ago we got our SOC 2 Type 1 certificate and it was a very big deal (and a big party) for us?
Now AXDRAFT received a SOC 2 Type 2 certificate, and your contracts are now more secure than ever with us!
But what is this SOC report, why are there different types of them, and how does it ensure the security of your data? The answer to that question is hard to find in Google without multiple companies offering you to pre-audit, audit, and re-audit you for SOC 2 compliance.
To clarify the significance of the SOC 2 compliance, and offer you a comprehensible explanation, we decided to write this blog post.
What is a SOC report?
System and Organization Control (SOC) report was first introduced in 2011 in an effort by American Institute Certified Professional Accountants (AICPA) to create means of control for cloud storage providers. And we’re not talking about bureaucratic control.
For AICPA, control means a process that is created to either avoid unwanted events, or reach a desired goal. The goal here is client’s financial data protection, in an unwanted event of a security breach and compromised client’s data.
A SOC 2 Type 2 report is the key procedure that signifies the high level of protection of the service provider client’s data.
Of course, today SOC reports are done to not only protect financial data, but any type of client’s information that has gone digital and is stored in a service provider’s cloud storage.
Since document automation software and contract management solutions work with client’s valuable data, it is important for legal operations to know that the legal technology their company uses will keep their data protected.
There are 3 different SOC reports, and two types for each of them:
- SOC 1 – Internal Financial Controls report
- SOC 2 – Controls at a Service Organization report
- SOC 3 – Same thing as SOC 2 report, but meant for general audiences
When AXDRAFT received its Type 1 certificate, we mentioned it as a point-in-time audit, and a starting point towards receiving a Type 2 certificate, which is a more long-term procedure that audits over a period of time in the organization’s operations.
A SOC 2 Type 2 report is the key procedure that signifies the high level of protection of the service provider client’s data. Now let’s find out what it consists of.
Contents of a SOC 2 Audit
Just like any other, SOC 2 report has its own typical structure:
- Report from the auditor. Here the auditor talks about the audit procedure, what has been done, what they have found, and where their concerns lie.
- Management Assertion. This is where you read the speech from the examined company’s management and their assessment of the audit.
- Description of System. This is an overview of the examined company. Here, they go into the details about what they do, how they do it, technology that they use, and the products that they offer.
- The Control Matrix. Not the world simulation, no. Just the overall principles, criteria, controls, tests, and the results of an audit.
Everything in the matrix is based on the COSO Internal Control Framework, which sets the evaluation standards for every SOC 2 report.
COSO Internal Control framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control is the framework that ‘helps organizations design and implement internal control in light of the many changes in business and operating environments’.
To ensure the security of our clients’ data on all levels, AXDRAFT is being continuously evaluated in the following 9 categories:
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
- Logical and Physical Access Control
- System Operations
- Change Management
- Risk Mitigation
Our SOC 2 audit covers each of these categories. However, it is up to the examined company to decide which categories to adhere to.
We just thought that the full package would be good enough to ensure your privacy and security.
How does this AXDRAFT update affect me?
On the client side, nothing changes. Our SOC 2 Type 2 certificate only ensures that our security measures are constantly improving and are being regularly tested and updated to account for all possible risks.
At the time the article was written, AXDRAFT:
- Adheres to 32 principles of the COSO Framework
- Has 141 controls in place for those principles
- Passed 601 tests to ensure that all controls are working.
SOC 2 Type 2 certificate means that there is always an extra bit of work for us. But that extra bit means that we can sleep well, knowing that every day we make sure that nothing poses a threat to the security of our client’s data.
If you are a Cloud Service or SaaS provider, SOC 2 compliance will greatly assist you in building trust with your customers and your board. SOC 2 report is designed to serve as assurance to your clients, management, and users about the security and effectiveness of your services.
Undergoing the SOC 2 Type 2 audit is a lengthy process, but one we willingly took part in. Being a legal technology provider, we understand the importance of security and the dire consequences of being compromised.
AXDRAFT is here to make a legal operations manager’s life easier by removing routine from their legal team’s schedule, and by ensuring the safety and accessibility of their contracts at all times. This is why being SOC 2 TYpe 2 certified is very important to us.
To get a copy of AXDRAFT SOC 2 report, please contact any of our team members.
Do you also have a SOC 2 certificate? Find out how QuickDocs self-service contracts make it easier for you to process SOC 2 report requests.