By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Continuously improve upon the security program while continuing to grow the business.
Compyl works with the technology your organization works with.
Begin building a scalable security program.
Build and maintain a robust risk management process.
Manage vendor due diligence and risk assessments.
Mature your security program quickly.
Create and centralize policies, standards, and procedures.
Securely store and monitor all contracts.
Streamline security with automated efficiencies.
Establish and monitor permissions for all users.
Catalog, access, and track all IT Assets.
Demonstrate the ability to effectively safeguard customer data's security, integrity, confidentiality, and privacy.
Prove the strength of your Information Security Management System to prospects and customers worldwide.
Organizations handling health information need to have measures in place & follow them.
Improve the security posture of information systems used within the federal government.
Guidelines to encourage best practices among financial institutions in Singapore.
This global security and privacy framework provides comprehensive information, risk, and regulatory protection.
We proactively monitor for the latest frameworks to ensure our customers environments remain secure at all times. Contact us and learn about the additional frameworks Compyl supports.
Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Our mission and purpose are unique, just like the solution we created.
We are very serious about our security. See the measures we take.
Join our diverse team of intelligent, respectful, and passionate individuals.
We are ready to secure your organization today!
SOC 2 isn’t a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes key attributes: security, availability, processing integrity, confidentiality, and privacy. Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.
Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”
The foundational security principle, common to all audits.
Protection from unauthorized disclosure of sensitive data.
Protection that systems or data will be available as agreed or required.
Protection that systems or data are not changed in an unauthorized manner.
The use, collection, retention, disclosure, and disposal of personal information is protected.
Unlike ISO-27001, which has very rigid requirements, SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles.
These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.
The SOC 2 reporting standard is defined by the AICPA. All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing new security controls to reduce risks. When ready, an organization will hire a licensed AICPA auditor to conduct the audit. The actual process involves scoping, artifact document collection, and an on-site visit. The time commitment is typically several hours of introductory phone conversations and two days in-person at your office.
An audit conducted against the Trust Services Criteria standard at a single point in time. This audit answers: Are all the security controls that are in place today designed properly?
An audit conducted against the Trust Service Criteria standard over a period of time. This period typically covers six months the first time, and then a year thereafter. This means you’ll need a system of record. Type I reports are, as you might imagine, quicker to prepare for and conduct because you don’t have to wait for historical data over six months. However, while Type II reports take more time, they are also that much more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on. They report on what you’re actually doing, rather than what you aspire to do. Because of this added value, our recommendation is to get started early and work directly toward the Type II report. This approach emphasizes immediate action taken toward improving your security, and because Type II also covers Type I, there are financial savings in the long term if you start with Type II from day one.
The Common Criteria for Information Technology Security Evaluation, referred to as Common Criteria, is an internationally recognized standard for computer security certification. Common Criteria is a framework that assures that the process of specification, implementation, and evaluation of a computer security product has been rigorously tested in a repeatable manner. The goal of Common Criteria is for vendors to make claims about the security of their products and that independently run testing laboratories can determine if they meet those claims. Below are the nine Common Criteria that are typically associated with SOC 2 compliance for SaaS providers and vendors.
SOC 2 certification is issued by outside auditors. They assess the extent to which a vendor complies with one or more of the five trust principles based on the systems and processes in place.
Trust principles are broken down as follows:
SOC 2 CC1: Control Environment Workflows are at the heart of every organization. As an organization grows from two people to five to ten, and so on, these workflows can introduce security loopholes. SOC 2 CC1 addresses your control environment, of which workflows are a component. Most workflow suites includes predetermined workflows for the most common business tasks, including employee onboarding, offboarding, vendor requests, approvals, renewals, and terminations. It also includes the ability to build, save, and repeat your own customized workflows to match your particular internal processes. When you use Compyl for SOC 2 compliance, all your workflows are documented as exportable logs. When you decide to undertake a SOC 2 audit, you can easily pull these logs and present them as evidence to your auditors.
SOC 2 CC5: Control Activities As mentioned earlier, the average mid-sized company uses 120 SaaS tools. That’s a lot of vendors. Lack of visibility into who all these vendors are and how they interact with your company can be grounds for SOC 2 noncompliance. Maintaining unwieldy spreadsheets, while a common standard, fails to capture crucial real-time data regarding your vendors.
SOC 2 CC6: Logical and Physical Access Controls While the broader CC6 framework considers both logical and physical access controls, Compyl helps you manage logical access controls. We do this by giving you enhanced visibility of all the third-party apps in use at your organization. App discovery and tracking give you a single source of truth as support for your SOC 2 compliance documentation. Moreover, security monitoring provides ongoing access control data collection crucial to your SaaS security audit compliance. If a new app is added to your organization or there’s a user state change, Compyl captures this data as exportable activity logs. Through this data, you can demonstrate the measures you have taken to modulate logical access control across all your organization’s apps. Using Compyl for SOC 2 compliance gives you a centralized view of all third-party SaaS apps in use in your organization, and tools to help you manage how your personnel interacts with them.
SOC 2 CC9: Risk Mitigation One of the challenges companies face when creating a risk mitigation plan is the lack of a system of record. A system of record is a single source of truth providing transparent, auditable data about a process within an organization. Organizations using different SaaS products without a point of convergence struggle to create a unified system of record. Compyl solves this by providing a converged system of record comprising an extensive SaaS codex with a robust system of record.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.
Adapt quickly to new industry requirements, expansion, and other needs that affect the organization.
While SOC 2 compliance isn’t a requirement for SaaS and cloud computing vendors, its role in securing your data cannot be overstated.
Imperva undergoes regular audits to ensure the requirements of each of the five trust principles are met and that we remain SOC 2-compliant. Compliance extends to all services we provide, including web application security, DDoS protection, content delivery through our CDN, load balancing, and Attack Analytics.