What's a SOC 2 certification?

Companies get a SOC 2 report to show off how secure and compliant their processes are to potential customers.

As more startups start to focus on moving up-market and selling into enterprises, SOC 2 has been having a moment – pretty much every company I’ve worked at has gone through the report process.

Security certifications and such aren’t just for giant companies - even small (like literally, 5-person) startups are thinking about SOC 2 these days. So what’s changed?

SOC 2 isn’t technically a certification, since there’s no central body that decides which startups get bestowed with the honorary “SOC 2 crown.” Instead, it’s a report issued by a third party auditor that verifies “yes, this company is decently not terrible at security and compliance.”

The standards that auditors look for, though, are determined by a central body – it’s called the American Institute of Certified Public Accountants (AICPA), an organization we can only imagine parties hard on the weekends.

Ah yes, the section you’ve been waiting for - what does this CeRtIfIcAtIoN actually mean? There are basically two pieces of governance and security that auditors look for:

Your auditor will give you an itemized list of things your company needs to do, and your team needs to give them proof that you actually do those things. And if you don’t do them yet (for example, you don’t have issue tracking set up for your codebase), you need to set them up.

If you’re wondering why Technically is covering SOC 2 (we are not a compliance newsletter), it’s because SOC 2 reports tend to cover a lot of tech stuff. Engineering teams need to be heavily involved in the reporting process, because auditors are looking for very specific controls on the software development process. A few examples:

At the companies I’ve worked with who went through SOC 2 audits, there was usually a developer lead responsible for handling most of this stuff. And they have to do a lot of manual, kind of annoying non-technical things, like tracking down information, taking screenshots of settings, etc. Teams are starting to use SaaS like Secureframe to automate that process, but more on that later.

And if you’re interested in diving deeper into the technology piece here, I wrote about it on the WorkOS blog a while back.

The word “audit” is very scary, but getting that SOC 2 report doesn’t need to be a nightmare. Standards are generally very straightforward, and while you need to put time into it, it’s a predictable cycle. In general, budget:

In other words - it’s a serious investment, but one that pays off and shouldn’t consume all of your time.

→ Finding an auditor

The first step to getting that elusive report is finding an auditor to work with. There are literally thousands, which can be a bit overwhelming – a basic Google search is your friend, or consider working with a company like Secureframe that can connect you with a vetted auditor network, plus help with the details via an in-house compliance team.

→ Working with a technology partner

Because the tech part of SOC 2 tends to be the most tedious and specific of the audit requirements, you can outsource pieces of it to companies like Secureframe or Vanta. They’ll connect to your tech and infrastructure (e.g. AWS, Rippling, Github) and automate some of the process (or proof) that your auditors are looking for.

→ Alternative certifications

As you try and expand your customer base, it becomes evident that SOC 2 is just the start. Larger and larger enterprises ask for more specific certifications and reports, often specialized to arenas like healthcare or finance. A few examples: