Think about the brands you’re a fan of. For me, some of those brands are Toyota, Yeti, and Patagonia. Underlying my interaction with those brands is trust. I trust that their products or services will work safely, make my life better, and be available when I need them. I also trust and expect they’ll keep any information they collect about me safe & secure, handle it responsibly, and use it only for purposes of better serving me as a customer.
At ActionIQ, we are a part of helping brands establish that kind of trust. We develop and implement an industry-leading Customer Data Platform (CDP). It’s SaaS that enables our clients to serve their customers better by creating helpful, personalized experiences. Our goal is to help brands communicate with customers in relevant ways, at the right time and over the right channel. To do that, brands transmit and store personally identifiable information (PII) in our systems.
A Culture of Security
We’re fortunate to work with some of the world’s largest, most respected and most sophisticated brands. Just like consumers trust them, we need them to trust us when it comes to safeguarding PII — without reservation. That’s why we’ve worked hard to ingrain security into our culture. It’s also why we decided to submit ourselves to examination under one of the most stringent compliance standards in the industry: SOC 2® Type 2.
What Is SOC 2 Type 2?
A little bit about my role and background: I currently lead technical operations. TechOps is a mix of things under the operations umbrella including site reliability engineering, security, infrastructure, incident management, observability, and a whole host of other work. I’ve been in this kind of work for quite a few years — previously at Microsoft, Nordstrom and a few other name brand companies, often in SLA and compliance-driven environments. That’s meant accountability for protection of data for a broad range of uses — retail, education, infectious disease research, military and more.
I’d always been responsible for maintaining compliance. But when ActionIQ decided to take on SOC 2 Type 2, it was the first time I was charged with leading a compliance examination and helping to ensure it for the entire organization. So, for starters, I dug in to learn all about SOC 2 Type 2.
SOC 2 is a compliance standard established by the American Institute of Certified Public Accountants (AICPA). The standard covers things like security, processing integrity, availability, confidentiality and privacy. SOC 2 audits are done by an outside, third-party cybersecurity and compliance firm, independent of both the technology provider and the AICPA.
The differences between SOC 2 Type 1 and Type 2 are significant. SOC 2 Type 1 is an exercise that requires a company to provide policy evidence and statements to attest that they do the “right things” in line with the SOC 2 Trust Services Criteria. We were SOC 2 Type 1 prior to beginning this effort, but Type 2 is a more difficult proposition. A Type 2 attestation involves both a review of policy and evidence of compliance with it. Rather than simply review a policy that says “all guests must sign in”, an auditor might request a page of your sign-in sheet from several random days during the 6-month examination period. Instead of just reviewing a policy that states “managers should deactivate accounts during intern offboarding,” the auditor would examine this policy and then request samples of offboarding records, evidence of deactivated accounts from a provided list of all interns who departed, or similar evidence. In short — the Type 2 process is designed to attest that you have internal controls and accountability in place, and that you live by these policies.
Side note: I strongly advise companies to pursue Type 1 before progressing to Type 2. The work my colleagues had already done for Type 1 made my job significantly easier than it would have been otherwise — the policies, norms, and processes were in place. With our Type 2 audit, I just needed to show the proof.
What Isn’t SOC 2 Type 2?
One common misconception about SOC 2 is that people think it’s a certification. There is no certificate of completion for SOC 2. Rather than being something you “get done,” SOC 2 is more of an ongoing commitment to a way of life — with very high and specific standards for security, processing integrity, availability, confidentiality and privacy. How often a company chooses to re-attest to compliance is up to them — but you should expect companies you trust to do this about once a year. Without a recent attestation, there’s every possibility that compliance has deteriorated in the time elapsed.
Furthermore, SOC 2 isn’t an explicitly technical standard. How you choose to implement controls to ensure you achieve and maintain the desired state is up to your team. The focus of SOC 2 is around process controls, behavioral controls and technical controls. These areas of examination will touch the engineering, IT, finance, and administrative teams at most companies. The auditors’ primary responsibility is to make sure you are achieving the end goal, but not to attest that this goal is the most technically excellent or popular solution for a given compliance problem. For example — there are a lot of sophisticated, tablet-based front desk sign-in apps that capture a photo and arrival/departure times for guests at your office. You can also do this with an old-fashioned clipboard, and that’s considered compliant. For this reason, it’s important to understand the intention of a SOC2 standard, rather than parrot what you’ve seen elsewhere, if you want to achieve meaningful compliance for your company.
How We Got There
So, how did we get there? First, we needed to choose an auditor. We selected A-LIGN, the cybersecurity and compliance firm. I am happy we chose well — our auditors and I talked almost daily for weeks.
Working together, we did a detailed review of ActionIQ policies. We provided evidence for our disaster recovery/game day drills. We reviewed our risk assessments, and the work we did to support those assessments. Of the list of a thousand things required for SOC 2 Type 2, the auditors would pick a random sampling of requirements and ask us to produce a 6 month time window of evidence for compliance review. Earlier in the year, we simulated an office shutdown for business continuity purposes — the whole company worked remotely, and we tested our ability to continue to serve our customers and run the entire business. (This was not a challenge for us, ActionIQ is remote-friendly and has a distributed workforce!)
What was the hardest part? The breadth! Putting together a comprehensive checklist to track the many granular things we needed to do to demonstrate compliance, and making sure we had true ownership within the company for all responsibilities on an ongoing basis. My colleagues performed amazingly where it comes to taking ownership for security, processing integrity, availability, confidentiality and privacy and making them not just our job… but an actual part of our company’s culture. We have named owners for every core area of internal controls, but everyone at ActionIQ believes trust and security is their responsibility.
On a personal note: the experience of drafting and implementing our SOC 2 Type 2 plan was a lot more fun than I expected. I was pleasantly surprised by how helpful our auditors were. This is not an adversarial exercise, auditors for SOC2 are a neutral third party. They came ready with tools to help us track the status of evidence collection, and with great project management chops to help us navigate the hundreds of requests for evidence that we worked through. It was really a positive relationship and there was even a sense of camaraderie by the time our examination was complete.
How SOC 2 Helps Our Customers
The CDP market we’re part of is complex. There are a ton of technologies, a ton of vendors, and a lot of noise. Vendor selection is a full time job. To select a technology partner, you need to ask a lot of product and feature oriented questions to evaluate if a solution is right for your team. After that, you’ll likely need to ensure that a given product will pass your company’s internal security review. Compliance is not synonymous with security, but by demonstrating SOC 2 Type 2 compliance, we take a lot of those questions off the table right away, because prospective customers know ActionIQ is compliant with one of the industry’s most stringent standards.
Knowing we have best practices in place lets our customers stay more focused on improving their customer relationships, their marketing, and their overall business. And that’s where we all want to be spending the bulk of our time and energy. Knowing that your vendors have a strong stance in security and compliance helps you manage risk and ultimately contributes to a stronger reputation for your company and a better relationship with your customers.
What’s Next for Trust and Security at ActionIQ?
With SOC 2 Type 2, there is no “off season.” It’s an ongoing commitment. We constantly work to exceed the standards. And as SOC 2 evolves, with a revised standard coming about every 2 years, ActionIQ stays ahead of it.
Right now, however, we’re proud to say we’re committed to SOC 2 Type 2, and all the benefits it brings to our customers.
David is an Engineering Director who enjoys building resilient, reliable products and teams.
In his free time David enjoys making electronic music, collecting folk art, and cooking.