SOC 2 Compliance: What is it, and why does it matter?
Updated May 22, 2023:
We’re proud to say that Next Matter has once again been certified as SOC 2 Type II compliant as of April 22, 2023, with no exceptions. This globally recognized and annually recurring data security certification proves that we handle customer data in line with the strictest regulations.
Excellent organizational practices and security are always a primary concern because our platform is also used to automate highly sensitive core operations processes within an organization. In this article, we’ll cover the full details of what the SOC 2 certification means, how it’s different from GDPR, what the testing was like, when re-evaluations will happen, and even how Next Matter can be used for your compliance needs.
In this article:
1. What is SOC 2?
SOC 2 is a data security compliance certification created in 2017 by the AICPA (American Institute for Certified Practicing Accountants). The goal of creating this certification was to help organizations mitigate potential cybersecurity threats. It was developed to meet five different requirements for data protection:
- Processing Integrity
These standards are applied in SOC for Cybersecurity by evaluating a company’s plan for keeping data secure. SOC 2 takes this further and requires proof of an organization’s data security plans. This means an extensive audit along with evidence-based tests tailored to the specific security plan laid out by a company.
What this means is that the test for a software company like us is going to be much different than for a manufacturing company. By creating customized tests and placing auditors in fields they’re most familiar with, tests become more accurate and better qualified to evaluate a company and its data security practices. We were audited on three of the five requirements.
If you’re interested in learning more about the SOC 2 audit, the AICPA has a white paper explaining the different types of tests conducted for certification.
Why did Next Matter choose SOC 2 and not GDPR?
That’s not only an excellent question, but a simple one to answer. Because we’re based in Europe, we’re legally obligated to abide by the rules and regulations set out by GDPR for data security and privacy. These regulations are in place for any and all data processed within the EU.
That’s why we decided to pursue the SOC 2 certification. It encompasses different security standards than GDPR, and it’s globally recognized. Because we’re located in Europe and already required by law to conform to the strictest data protection and security standards in the world, we wanted to add SOC 2 to show just how serious we are about data privacy.
2. How is SOC 2 different from GDPR?
You can think of SOC 2 and GDPR as very similar, but with a few key differences. First, GDPR allows people to prosecute a company if they violate any of the strict regulations set in place. It functions as a law and not as an evaluation standard.
SOC 2, on the other hand, is a certificate proving that a company has strong data security measures in place but they can’t be legally enforced. Because we have both the evaluation and the legal requirement, we think of it as having both the before (SOC 2) and the after (GDPR) covered. SOC 2 is also issued annually, so our customers know that we’re always up-to-date with our data security.
Otherwise, we’ve listed the main differences between them in the table below:
3. What is the testing for SOC 2 like?
The testing for SOC 2 is rigorous as it tests all of the above-mentioned data security measures and systems within a company. The audit is done by professionals who are familiar with the industry and create custom benchmarks for the five requirements of data protection set out by the AICPA: Security, availability, processing integrity, confidentiality, and privacy.
After adapting to these processes, we knew we were ready for the SOC 2 audit.
What it’s like being audited for SOC 2
To be honest, the auditing was pretty easy for us. We just had to show evidence of security measures that were already implemented and run a disaster recovery exercise to prepare for a potential cybersecurity attack.
If they had any doubts about any of the measures required for SOC 2 certification, they would have started an interview phase to double-check that the proof you’re giving them is accurate. This is an annual cycle, so each year, we’ll begin SOC 2 auditing and testing around January to have it completed by April for certification in July. With an independent audit each year, automated compliance updates, and also GDPR, we believe it’s the best security setup we can provide our customers.
4. How to use Next Matter for compliance
One ongoing challenge of any audit is to actually provide proof that you are actually doing the things that you claim to do. While some software can cover things Next Matter can’t (like tracking a team’s computers to make sure they’re encrypted), we use Next Matter for all other compliance processes. This includes our quarterly internal compliance check and other tasks like onboarding and offboarding customers and employees to ensure our data is secure.
Creating a process is relatively easy since you’ll be able to name it whatever you need and set the date it should reoccur (or keep it manual for unexpected on- or offboardings. Each step is already listed, and procedures can be updated to keep up with guidelines.
Whatever email is attached to your Next Matter account will also get the reminder that your compliance report is due, so you won’t need to worry about setting reminders and processes in your calendar. Another reason why we were able to get the SOC 2 certification so easily is that all of the completed instances can be used as proof in your compliance certification if needed (or if data leaks occur, you have an overview of the time an instance was completed and pinpoint where the data leak might have happened through this trail).
Interested in seeing an example of your compliance processes with Next Matter? Book a demo!
Get exclusive content and automation hacks straight in your inbox
Get the latest operations thinking and Next Matter updates once a week.
Next Matter blog.