Affirms ongoing commitment to clients, data security and privacy
By: Vincenzo Acinapura, Co-founder & CTO at TrustLayer
Information security is paramount. Nobody would argue with that considering the persistent threat of cyber-attacks and digital mishaps. Here at TrustLayer, we know how important data security is to our customers and broker partners in tracking third-party insurance and compliance documents. That is why I’m both pleased and proud to announce that TrustLayer has successfully completed SOC 2 Type II audit. Receiving SOC 2 attestation is a key part of TrustLayer’s ongoing commitment to data security beyond established protocols and industry compliance – it’s built into the foundation of our platform.
Generally speaking, IT compliance is usually a discussion between peers -- it’s IT inside baseball. For those of you interested, I’ll summarize what we’re talking about, why it’s important and finally tell you about our approach below.
For most readers out there, though, this is simply a giant checkbox that lets you move forward confident that TrustLayer implements and adheres to rigorous IT standards… and that we come fully vetted by an outside auditor.
What is SOC 2 Type 2 Compliance?
Service organization control (SOC) 2 is an auditing procedure that helps organizations securely and adequately manage their data. Fundamentally, SOC 2 is considered the gold standard for security compliance for software-as-a-service (SaaS) companies. SOC 2 requires companies to establish and follow AICPA’s rigorous set of security control procedures.
SOC 2 reports are tailored to the individual needs of every organization and are based on the following criteria: security, availability, processing integrity, confidentiality, and privacy. In terms of SOC 2 reports, there are two main types:
- Type 1 – this report details whether the organization’s system complies with trust principles
- Type 2 – this report uncovers the operational efficiency of the systems themselves
A SOC 2 Type 2 report is granted after a company undergoes an auditing process administered by an independent, third-party audit firm. Successfully completing the SOC 2 examination signifies that TrustLayer’s service commitments and system requirements were achieved based on applicable trust criteria relevant to security.
Why did TrustLayer pursue a SOC 2 Compliance?
Our customers rely on TrustLayer everyday to eliminate third-party risk exposure, efficiently onboard vendors onto projects, and streamline manual & paper-based compliance tasks. It’s crucial that we help our customers and partners by ensuring that their data is secure. In addition, the attestation can help brokers and insureds adopt and implement our AI & RPA technology much quicker.
Our journey to SOC 2 Compliance (and what other startup CTOs might expect)
Since it was Trustlayer’s first experience with a SOC 2 Type II audit, we sought the expertise of our partner Eden Data that has a wealth of audit experience. Together, we collaborated to ensure the audit went smoothly and quickly - delivering faster value to customers/brokers. Like any project, we began by building a strategic roadmap so that the timeline aligned with business initiatives, and a thorough evaluation was conducted of our internal security environment to prepare for the audit. Since the audit touches a multitude of business units, we unified stakeholders from each unit to validate the processes and documentation that would be provided to obtain the certification.
Eden Data acted as a guide through this phase of evidence gathering. They were able to advise on necessary policies/procedures/controls, gather and/or create required documentation, and review all evidence before it was provided to the auditors. By frontloading the internal review process, the actual SOC 2 Type II audit progressed quickly and smoothly. This phase of the project lasted the longest, approximately two months, but it paid off once the auditors were brought in.
Once the audit kicked off, what would have normally been the most stressful part of the process was a breeze. Because we had prepared our evidence so thoroughly using Eden Data’s advice on the gold standard for language and precision, there were very few necessary revisions. Another advantage of our collaboration with a partner was that they managed the relationship with the auditor, acting as our intermediary and advocating on our behalf with any pushback and questions - all of which maintained our objectivity and relationship with the auditors. An unexpected advantage of working with a partner that had both internal and external audit experience was that we were able to act as the quarterback (so-to-speak) for this initiative, anticipating what would be required and delivering it with fluency. To our satisfaction, the audit progressed swiftly and seamlessly.
In all, the actual audit took approximately 3 weeks, and we were thrilled (although not necessarily surprised) at the results. With initial prep work, the entire engagement spanned approximately 3 months.
What’s next for compliance at TrustLayer?
Trustlayer is committed to continually evolving our compliance and security program to offer unparalleled assurance to our clients and partner community. Following our successful SOC 2 Type II audit, a logical next roadmap item would be to obtain our ISO27001 certification, which both enhances our domestic and international standards. We’ll continue to work with our partner, Eden Data, to evaluate the overlap between SOC 2 Type II and ISO27001, once again aiming to deliver quick and fruitful value to the business and our community.