Liveoak Technologies obtains SOC 2 certification for Trust Service Principles
Liveoak Technologies, the digital video conferencing and onboarding solution, is Type 1 SOC 2 certified (formerly SAS 70) by the American Institute of CPAs. The SOC 2 is a third party audit that provides assurance to customers of service organizations that business practices meet trust principles and criteria standards.
Everything you ever wanted to know about the SOC audit!
The term “SOC audit” is becoming more and more important in data security and compliance discussions. The SOC 2 reports on the security behind financial transactions, making it more relevant than ever in the growing wake of credit card fraud and data breaches. SOC 2 reports are unique to each company. Essentially, the provider looks at the requirements, decides which ones are relevant to their business practices, and then writes their own controls to fit those requirements. The SOC 2 audit is simply the auditor’s opinion on how that organization’s controls fit the requirements. This makes the auditor’s reputation very important to SOC 2 reporting, because an auditor who has had many years of experience in SOC reporting will more likely have a more thorough understanding of SOC controls and the best practices to apply to them. The end result of a clean (passed) opinion is that, according to the auditor, the data provider can be trusted as a secure hosting company.
What does SOC stand for?
Service Organization Controls
What is a SOC audit?
A SOC report is an internal control report on the services provided by a service organization to its customers and provides valuable information that existing and potential customers of the service organization need to assess and address the risks associated with an outsourced service.
Service organizations like Liveoak Technologies receive requests from customers for assurances about our controls to protect privacy and confidentiality of our users’ data as well as security, availability and processing integrity of our systems. Service Organization Controls (SOC) engagements have become the gold standard for reporting, examining and assessing these controls and are provided by CPAs.
Overview of the SOC 2 report
These reports are intended to meet the needs of a broad range of users that need to understand the internal controls of a service organization as it relates to the Trust Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors).
The Trust Service Principles which SOC 2 is based upon are modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. Each of the principles have defined criteria (controls) which must be met to demonstrate adherence to the principles and produce an unqualified opinion (no significant exceptions found during your audit).
The 5 Trust Service Principles defined
- Security: The system is protected, both logically and physically, against unauthorized access
- Availability: The system is available for operation and use as committed or agreed to
- Processing Integrity: System processing is complete, accurate, timely and authorized
- Confidentiality: Information that is designated as “confidential” is protected as committed or agreed
- Privacy: Personal information is collected, used, retained and disclosed in conformity with commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CIPA)
Why do organizations obtain a SOC 2 audit?
- The report is used by customers or stakeholders to gain confidence and place trust in a service organization’s systems.
- Customers have the need for and ability to understand the details of the processing and controls at a service organization (test performed by service auditor).
Why is the SOC 2 audit a significant differentiator for a Software-as-a-Service provider?
The biggest reason is because SOC 2 reports on the security behind highly sensitive transactions, as mentioned above. People want to be able to trust their data providers with confidential information, and a clean SOC 2 report means companies can depend on their hosting provider for secure, compliant hosting. That in turn means less worry for the end customer, and less investment on their part in controls. It’s important to remember that the customer still has the same responsibility to be compliant, such as company policies and procedures, just like the vendor.
- Learn more about the SOC2 Certification
- See how Liveoak Managed SOC2 Certification Status and HIPAA Compliance