What SOC 2 Compliance Means for Your Data

In today’s business world, data security is critical. According to a report by Accenture in 2019, US companies lost $24.7 Million in 2018 from cybercrime. Accordingly, if you’re an enterprise with more stringent data security standards, you have to look for a SOC 2 compliant vendor. SOC 2 was developed by the American Institute of CPAs (AICPA). It is based on five “trust service principles” of managing customer data: security, availability, processing integrity, confidentiality, and privacy.

SOC 1 vs SOC 2

The difference between SOC 1 and SOC 2 is that the former is focused on internal controls related to financial reporting (ICFR), while a SOC 2 Audit is focused on information and IT security- meaning it addresses the steps the vendor has taken to protect the data/information you will provide them. SOC 2 is also more comprehensive and is issued by outside auditors, unlike SOC 1, where the vendor creates a set of criteria and then passes the audit. 

The Five Trust Service Principles

1. Security- Vendors must protect customer data from unauthorized access. Various access control procedures are implemented, including firewall application, two-factor authentication, intrusion detection, and so on. 
2. Availability- This principle refers to the accessibility of the company’s systems, products, or services. A contract or service level agreement (SLA) is set by both parties to determine the minimum acceptable performance level.
3. Processing integrity – This addresses whether the system does what it is supposed to do. The data processing must be timely, complete, valid, and sanctioned. For example, is the data being processed in a suitable manner and following the protocols that were agreed upon by the vendor and client
4. Confidentiality – Confidential Data includes business plans, business strategies, intellectual property, etc. When the access or disclosure of data is restricted to a specified group, it is considered confidential and needs a means of safekeeping, such as encryption, network firewall application, etc.  

5. Privacy – This principle addresses the collection, use, storage, and management of personal information by the system, aligning with the organization’s privacy policy notice and AICPA’s privacy rules. 

SOC 2 compliance is not a requirement for data collection vendors; however, its role in keeping your data secured cannot be exaggerated. It is a means of determining the vendor’s commitment to securing your information. If you want to rest easy knowing data from your research projects are kept safe and confidential, choose a SOC 2 compliant vendor.  

For more information on data collection privacy or mail survey in general, contact DataForce!