April 05, 2021
We are thrilled to announce that RudderStack is now SOC 2 Type 1 certified. This certification is a key milestone for us. One that helps you ensure that we are protecting your customer data while helping you gain business insights. This blog talks about the importance, need, and steps we followed to obtain the SOC 2 Type 1 certification.
What is SOC 2?
SOC 2 is an audit conducted by third-party certified auditors who check an organization on five trust principles and is considered the Gold Standard for security compliance. This audit process and certification is developed by the American Institute of CPAs (AICPA).
As per Truvantis, “SOC 2 (System and Organization Controls 2) is a type of audit report that attests to the trustworthiness of services provided by a service organization. It is commonly used to assess the risks associated with outsourced software solutions that store customer data online.”
Why did RudderStack go Through the SOC 2 Audit?
RudderStack is a smart customer data pipeline that connects your entire data stack and carries customer data throughout. Even though we don’t persist any customer data, our clients trust us with the sensitive data that flows through our systems. RudderStack protects customers’ PII (Personally Identifiable Information) using PII detection and masking code.
Note: Read more on how RudderStack protects PII in this article.
If you deal with highly sensitive customer data (such as financial companies), the SOC 2 certification makes your life easier and reduces your effort in auditing RudderStack before buying. The certificate means that we follow industry-standard security compliance for your sensitive data.
How did we do it?
Obtaining SOC 2 certificate means ensuring each employee, as well as each piece of infrastructure, adheres to the guidelines as suggested by AICPA.
The RudderStack Team
To get started, each person from the RudderStack team (all of our teams - engineering, sales, marketing, content, etc.) completed online training with modules on security concepts, threats, best practices, and protocols. After each module, there were multiple-choice knowledge tests that we all had to pass.
Once the training was complete, each employee had to ensure their work machines and accounts (GitHub, e-mail, and so on) were protected using antivirus software, password protectors, and two-factor authentication.
Finally, each RudderStack employee agreed to the terms and conditions for keeping all data secured.
Securing the infrastructure of our production environment is crucial in obtaining the SOC 2 certification. The production environment cannot have public/unauthorized access, and access control is of ultimate importance.
To protect our production environment, we used Vanta agents that help monitor vulnerabilities on infrastructure machines.
After securing the machines, the next was code-level security. For GitHub and AWS access control, we enforced two-factor authentication.
The final task was to secure the communications. We secured our GSuite with two-factor authentication.
Consistency is the Key
Security cannot be a one-off activity; consistency is the key here. We are committed to offering a secure customer data pipeline for all of our customers. We not only collect customer data securely but also maintain security throughout. This SOC 2 certification vouches for all the efforts we take to secure customer data, and our consistency in this area will be audited and proven as we work to attain our SOC 2 Type 2 certification.
Sign up for Free and Start Sending Data
Test out our event stream, ELT, and reverse-ETL pipelines. Use our HTTP source to send data in less than 5 minutes, or install one of our 12 SDKs in your website or app. Get started.
We'll send you updates from the blog and monthly release notes.