Try ShortPoint nowSecurity is at the heart of ShortPoint's operations, from our team members to our daily processes and the technology we use. And we don't just say that. We've constantly proven it.
ShortPoint is SOC compliant, which means our organization's controls meet the highest standards for data security and continuous compliance. It may sound complicated, but it really isn't. Let's dig in deeper to help you better understand how we validate our security practices.
NOTEShortPoint does not access, store, or process customer content or data from your SharePoint environment.
TABLE OF CONTENTS
- SOC Reports: Independent Verification You Can Trust
- ShortPoint Achieve SOC Compliance
- Continuous Compliance Efforts and Improvements
- Frequently Asked Questions
- What is SOC compliance?
- What are the five Trust Services Criteria in SOC compliance?
- What is the difference between SOC 2 Type II and SOC 3 reports?
- Why is SOC compliance important for SaaS companies and cloud providers?
- What does a SOC audit involve?
- How does SOC compliance provide a competitive advantage?
- Can I request ShortPoint's SOC 2 Type II report?
- How does ShortPoint maintain continuous SOC compliance?
SOC Reports: Independent Verification You Can Trust
SOC, which stands for Service Organization Control, isn't really as complicated as it sounds. Think of it like a health checkup for security. SOC reports are created by independent auditors, specifically Certified Public Accountants, who examine how well a company manages and protects its internal systems and security controls that support the product.
These auditors conduct a thorough risk assessment and gap analysis focusing on the organization's internal controls to safeguard customer data. They look at five key areas called the five Trust Services Criteria, created by the American Institute of Certified Public Accountants (AICPA):
- Security - this criterion is all about protecting systems from unwanted guests. This covers everything from access controls to how the company monitors for threats and to what happens if something goes wrong. These security practices are essential for maintaining a strong security posture and effective risk mitigation.
- Availability - ensures the system is up and running when you need it. Nobody likes a service that's constantly down, right? This looks at uptime, backup systems, disaster recovery plans, and adherence to service level agreements (SLAs), which are critical for maintaining trust with customers and partners.
- Processing Integrity - ensures a company’s internal systems operate consistently and reliably as designed.
- Confidentiality - is basically about keeping secrets secret. It examines how companies protect information they've designated as confidential throughout their entire life. From when they first collect it to when they eventually delete it, the data should be protected. This is especially important for cloud service providers and managed service providers who handle sensitive client information.
- Privacy - takes things a step further by looking at personal information specifically. It ensures companies are handling your personal data according to their privacy policies and following privacy controls and best practices.
These key areas are the gold standards for keeping data safe. Using these criteria, auditors develop detailed reports, specifically SOC 2 Type II and SOC 3. To help you better understand each one, here's what they mean:
SOC 2 Type II
SOC 2 Type II examines the design and operating effectiveness of a company's security controls. It ensures that they are working effectively over an extended period, usually at least three months. This high level of scrutiny provides stronger assurance to user entities and business partners that the service organization's controls meet the highest standards for secure operations and governance.
The process is thorough but straightforward. An independent auditor with an understanding of the auditing framework comes in to understand how the company's systems and processes work within the defined audit scope. Then, over the examination period, they test everything to make sure it's actually working as claimed. They'll review security questionnaires, examine documentation, talk to employees, watch processes in action, and run technical tests on security systems.
The result is a detailed SOC 2 audit report that shows what necessary controls are in place, what tests the auditor ran, and whether everything passed muster. This report is detailed and technical. It includes everything you need to know about an organization's security controls.
SOC 3
While SOC 2 Type II reports are incredibly detailed and contain sensitive information that companies typically don't want to share publicly, sometimes you need a report that demonstrates your organization's ability to protect customer data in a way that can be shared widely. That's exactly where SOC 3 comes in.
A SOC 3 examination involves the same rigorous testing as SOC 2 Type II and uses the same AICPA's Trust Services Criteria. The key difference lies in how the results are reported. Instead of a lengthy, technical official audit document, SOC 3 produces a streamlined and summarized report that can be shared with anyone, including posting it publicly on websites or in marketing materials.
ShortPoint Achieve SOC Compliance
Recently, ShortPoint completed SOC compliance audits. The SOC examination specifically covered our application and controls relevant to the Trust Service Criteria for security. The independent service auditor concluded that our security controls were suitably designed and operated effectively. These reports prove our service commitment to you.
NOTEWant to see our full SOC 2 Type II report? You can request a copy from our team. We will be happy to assist you and answer any questions you may have.
Continuous Compliance Efforts and Improvements
We are committed to protecting what matters most: your trust and the security of ShortPoint’s internal systems. And to ensure that we keep it that way and remain compliant, ShortPoint uses real-time automation for the continuous monitoring of our internal security controls. These automated processes ensure ongoing alignment with industry-leading practices and evolving compliance requirements.
Your security is our priority. Through independent audits by certified public accountants and continuous monitoring of our security controls across cloud environments, we work every day to earn and keep your trust. Our commitment to maintaining strong internal controls and adhering to the Trust Service Criteria ensures robust risk management and protection of ShortPoint’s internal information assets.
Frequently Asked Questions
What is SOC compliance?
SOC compliance refers to a certification process where a service organization undergoes an independent audit by certified public accountants to verify that it has implemented effective internal controls and security controls to protect sensitive customer data. The audit assesses the organization against the five Trust Services Criteria defined by the American Institute of Certified Public Accountants (AICPA).
What are the five Trust Services Criteria in SOC compliance?
The five key areas evaluated in SOC compliance are Security, Availability, Processing Integrity, Confidentiality, and Privacy. These criteria ensure an organization's ability to protect customer data and maintain a strong security posture.
What is the difference between SOC 2 Type II and SOC 3 reports?
SOC 2 Type II reports provide a detailed and technical review of a company's security controls and their operating effectiveness over a period, usually six months or more. In contrast, SOC 3 reports summarize the same assessment in a simplified format intended for public sharing, demonstrating the organization's ability to protect client data without revealing sensitive details.
Why is SOC compliance important for SaaS companies and cloud providers?
SOC compliance proves that a company maintains strong internal security controls and governance, critical for any SaaS provider that integrates with customer environments. It builds trust with business partners and user entities by proving that the organization meets rigorous standards for protecting sensitive data.
What does a SOC audit involve?
A SOC audit involves a thorough risk assessment and gap analysis of an organization's internal controls. Auditors test the design and operating effectiveness of the controls within the defined audit scope, review documentation, conduct interviews, and perform technical security tests to ensure compliance.
How does SOC compliance provide a competitive advantage?
Achieving SOC compliance signals to customers and partners that an organization prioritizes data privacy, regulatory compliance, and the security of customer data. This can enhance reputation, simplify vendor management, and help win contracts.
Can I request ShortPoint's SOC 2 Type II report?
Yes, ShortPoint provides access to its full SOC 2 Type II report upon request. This report offers detailed insights into our organizational controls and commitment to protecting data through appropriate controls and continuous monitoring.
How does ShortPoint maintain continuous SOC compliance?
ShortPoint employs real-time automation for continuous monitoring of our security controls. This ensures ongoing alignment with evolving industry standards and helps maintain a strong security posture to protect sensitive data effectively.
Related articles:
- How ShortPoint Classifies and Encrypts Data
- Continuous Defense: ShortPoint’s Program for Proactive Data Security
- Security by Design: How ShortPoint Protects Data
- Zero Trust Access: How ShortPoint Keeps Data Safe with Smart Security
- Security in Software Development Life Cycle: How ShortPoint Keeps the Development Lifecycle Safe and Secure
- Organizational Resilience: How ShortPoint Ensures Business Continuity
- Creating a Company Culture for Security: How ShortPoint Builds a Culture of Compliance
- Privacy by Design: How ShortPoint Complies with the General Data Protection Regulation
