Bedrock Blog

Ensuring Data Security with SOC 2 Compliance

Written by Gordon Yu | Sep 9, 2024 3:46:58 PM

Bedrock Security’s mission is to help organizations protect their data, including by ensuring the integrity of the Bedrock Security platform.

As an essential step in these efforts, Bedrock completed its inaugural SOC 2 Type 2 audit in 2024.

SOC 2 (Service Organization Control Type 2) is a cybersecurity framework that helps organizations protect customer data from unauthorized access and other threats. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 in 2010 to establish trust between service providers and their customers. SOC 2 is a voluntary framework that technology and cloud computing companies implement to demonstrate their security standards. 


Bedrock Security: Thoroughly Auditing Data Safeguards

SOC 2 audits follow the framework of its five Trust Services Criteria (TSC): 

  • Security: Systems and data are protected against unauthorized physical and logical access

  • Availability: Systems are operating and may be used as defined by the organization

  • Processing integrity: Data processing is complete, accurate, timely, and authorized

  • Confidentiality: Data designated as confidential is handled as defined by the organization

  • Privacy: The organization’s collection, use, retention, disclosure, and disposal of data conforms to its privacy policy

SOC 2 audits are conducted by a third-party assessor, regulated by the AICPA. Similar to a financial statement audit of a public company, the outcome of a SOC 2 audit is the auditor’s report.

The auditors’ report provides a detailed assessment of whether the organization has the proper controls in place to ensure the security, availability, and processing integrity of its systems and the confidentiality and privacy of the information it processes. SOC 2 auditors write reports that express an opinion about the organization they audit. The auditor’s possible opinions are: 

  • Unqualified Opinion: The organization's controls are appropriately designed and operating effectively.

  • Qualified Opinion: The organization has certain exceptions where it did not meet the SOC 2 standards, such as a deficiency in the organization’s controls, or a lapse in its adherence to those controls. Those exceptions are listed in the report. 

  • Adverse Opinion: The organization does not meet the controls.

  • Disclaimer of Opinion: The organization did not provide sufficient evidence to the auditors for the auditors to form an opinion.

The result of Bedrock’s SOC 2 audit was an unqualified opinion with no exceptions, which is the highest level of assurance that can result from a SOC 2 audit.

An unqualified opinion with no exceptions means that Bedrock met the following criteria:

Fair Presentation of Controls: Our auditors confirmed that the description of the organization’s systems, policies, procedures, infrastructure, software, capabilities, staff) is fairly presented. Bedrock accurately represents its systems as they actually exist and operate, without any misleading or incomplete information.

Appropriate Design of Controls: Our auditors verified that our controls are appropriately designed to meet the relevant Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). Our controls provide reasonable assurance that the objectives related to these criteria will be achieved.

Effective Operation of Controls Over Time: Our auditors determined that our controls were operating effectively throughout the period under review. 

No Material Deficiencies or Exceptions: Our auditors’ unqualified opinion indicates that they did not find any material deficiencies or exceptions in the organization’s controls. Material deficiencies are issues significant enough to undermine the trustworthiness of the system or pose risks to the confidentiality, integrity, or availability of the data being handled.

 
SOC 2 Compliance: Major Benefits to Bedrock and Its Customers

Our customers care about our SOC 2 compliance for many reasons. Fundamentally, it builds additional trust and credibility with them and our business partners by demonstrating our commitment to data security and privacy. 

The SOC 2 process also serves as a regular check for risk management. By thoroughly and continuously examining our systems and processes, it helps us identify and address potential vulnerabilities before they can be exploited. 

Furthermore, many organizations, especially ones subject to public scrutiny or operating in highly regulated industries, consider SOC 2 compliance a prerequisite for their cloud and SaaS vendors. 

While SOC 2 is not a legal requirement, it aligns and borrows concepts from a number of laws, including the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and the General Data Protection Regulation (GDPR).  

Overall, our continuous SOC 2 audit cycle helps us demonstrate our commitment to securing ourselves and our customers. SOC 2 is just one more method by which we ensure the industry’s highest level of protection for customer data.

To learn more about how the Bedrock platform can help improve your data security, read the white paper “The Path to Frictionless Data Security” or speak with our data security experts.