SOC 2 Compliance: What is it, and why does it matter?

Tassilo Karunarathna
November 17, 2022
5
minutes

We’re proud to say that Next Matter has been certified as SOC 2 compliant as of the 11th of July, 2022. This globally recognized data security certification proves that we handle customer data in line with strict regulations.

Excellent organizational practices and security are always a primary concern because our platform is also used to automate highly sensitive core operations processes within an organization. In this article, we’ll cover the full details of what the SOC 2 certification means, how it’s different from GDPR, what the testing was like, when re-evaluations will happen, and even how Next Matter can be used for your compliance needs. 

In this article:

1. What is SOC 2? 

SOC 2 is a data security compliance certification created in 2017 by the AICPA (American Institute for Certified Practicing Accountants). The goal of creating this certification was to help organizations mitigate potential cybersecurity threats. It was developed to meet five different requirements for data protection: 

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

These standards are applied in SOC for Cybersecurity by evaluating a company’s plan for keeping data secure. SOC 2 takes this further and requires proof of an organization’s data security plans. This means an extensive audit along with evidence-based tests tailored to the specific security plan laid out by a company. 

What this means is that the test for a software company like us is going to be much different than for a manufacturing company. By creating customized tests and placing auditors in fields they’re most familiar with, tests become more accurate and better qualified to evaluate a company and its data security practices. We were audited on three of the five requirements.

If you’re interested in learning more about the SOC 2 audit, the AICPA has a white paper explaining the different types of tests conducted for certification.

Why did Next Matter choose SOC 2 and not GDPR?

That’s not only an excellent question, but a simple one to answer. Because we’re based in Europe, we’re legally obligated to abide by the rules and regulations set out by GDPR for data security and privacy. These regulations are in place for any and all data processed within the EU. 

That’s why we decided to pursue the SOC 2 certification. It encompasses different security standards than GDPR, and it’s globally recognized. Because we’re located in Europe and already required by law to conform to the strictest data protection and security standards in the world, we wanted to add SOC 2 to show just how serious we are about data privacy. 

2. How is SOC 2 different from GDPR?

You can think of SOC 2 and GDPR as very similar, but with a few key differences. First, GDPR allows people to prosecute a company if they violate any of the strict regulations set in place. It functions as a law and not as an evaluation standard.

SOC 2, on the other hand, is a certificate proving that a company has strong data security measures in place but they can’t be legally enforced. Because we have both the evaluation and the legal requirement, we think of it as having both the before (SOC 2) and the after (GDPR) covered. SOC 2 is also issued annually, so our customers know that we’re always up-to-date with our data security.

Otherwise, we’ve listed the main differences between them in the table below:

GDPR

 

vs.

SOC2

     
Data transparency   Data transparency
GDPR compliant companies have to inform customers about the type of data being collected and for what reason.   SOC 2 compliant companies have to inform customers about which data is collected and for what purposes.  
     
Consent   Consent
GDPR compliant companies have to obtain consent for the collection of customer data (especially if this data is being used beyond its original purpose).   SOC 2 compliant companies have to obtain consent from customers for the collection, use, retention, disclosure, and disposal of personal data.  
     
Limited information   Limited information
GDPR compliant companies have to collect the minimum amount of data possible to perform their service.   SOC 2 compliant companies have to comply and prove the data they’re collecting is consistent with their private policy and regulations set out by SOC 2.
     
Data accuracy   Data accuracy
GDPR compliant companies have to ensure the personal data collected is accurate and can be changed or erased when required.   SOC 2 compliant companies have to allow personal data to be updated when needed and ensure data collected by third parties is also accurate.  
     
Proper security   Proper security
GDPR compliant companies have to ensure the personal data collected is either encrypted or anonymized to ensure proper security.   SOC 2 compliant companies have to ensure the personal data collected is either encrypted or anonymized to ensure proper security.
     
Enforced by law   Certification only
GDPR compliant companies have legal jurisdiction in the EU and can therefore be held legally liable for any violated data privacy rules.   SOC 2 compliant companies only go through auditing and testing of how they store personal data. This is a certification and not enforced by law. 
     
Right to deletion   Data privacy
GDPR compliant companies have to delete personal or customer data on request. If violated, there is a severe punishment.   SOC 2 compliant companies are not required to delete data on request, but not doing so is likely to result in a loss of certification if not followed. 


3. What is the testing for SOC 2 like?

The testing for SOC 2 is rigorous as it tests all of the above-mentioned data security measures and systems within a company. The audit is done by professionals who are familiar with the industry and create custom benchmarks for the five requirements of data protection set out by the AICPA: Security, availability, processing integrity, confidentiality, and privacy.

After adapting to these processes, we knew we were ready for the SOC 2 audit.

What it’s like being audited for SOC 2

To be honest, the auditing was pretty easy for us. We just had to show evidence of security measures that were already implemented and run a disaster recovery exercise to prepare for a potential cybersecurity attack. 

If they had any doubts about any of the measures required for SOC 2 certification, they would have started an interview phase to double-check that the proof you’re giving them is accurate. This is an annual cycle, so each year, we’ll begin SOC 2 auditing and testing around January to have it completed by April for certification in July. With an independent audit each year, automated compliance updates, and also GDPR, we believe it’s the best security setup we can provide our customers. 

4. How to use Next Matter for compliance

One ongoing challenge of any audit is to actually provide proof that you are actually doing the things that you claim to do. While some software can cover things Next Matter can’t (like tracking a team’s computers to make sure they’re encrypted), we use Next Matter for all other compliance processes. This includes our quarterly internal compliance check and other tasks like onboarding and offboarding customers and employees to ensure our data is secure.

Creating a process is relatively easy since you’ll be able to name it whatever you need and set the date it should reoccur (or keep it manual for unexpected on- or offboardings. Each step is already listed, and procedures can be updated to keep up with guidelines. 

Whatever email is attached to your Next Matter account will also get the reminder that your compliance report is due, so you won’t need to worry about setting reminders and processes in your calendar. Another reason why we were able to get the SOC 2 certification so easily is that all of the completed instances can be used as proof in your compliance certification if needed (or if data leaks occur, you have an overview of the time an instance was completed and pinpoint where the data leak might have happened through this trail). 

Interested in seeing an example of your compliance processes with Next Matter? Book a demo!

Subscribe

Get the latest operations thinking and Next Matter updates once a week.

You've subscribed to the
Next Matter blog.
Oops! Something went wrong while submitting the form.
About the author
Tassilo Karunarathna is a lifelong optimization enthusiast. GTD, Kon.Mari, you name it. He has lived that passion during his previous career as a management consultant when doing digital transformations for both corporates and digital pure players. Say hi if you spot him biking through Vienna with his family of 6.

Ready to build a home for your operations?

Book Demo