Dwolla’s SOC 2 Type 2 Assessment and Report

We are pleased to announce the availability of a SOC 2 Type 2 Report for Dwolla, Inc.

Built upon Dwolla’s existing internal control framework and focused on the security trust principle, the report provides valuable and independently-verified information for our customers, related to the assessment of approximately 80 security controls over a 6 month period of time.

This rigorous review process, as facilitated by a trusted, independent third-party firm, is now a part of how we do business at Dwolla. The process and initial outcome have been fantastic, enabling Dwolla to rely on its existing security foundation while also delivering continuous improvements and building process excellence.

The report is available immediately and can be obtained to approved recipients by submitting a request to one of Dwolla’s Account Managers or a member of our sales team.

The value of a SOC 2 Report

At Dwolla, we are consistently improving our platform and security program. Focusing on and delivering the SOC 2 Report is another step forward in our effort of continuous improvement.

Dwolla’s SOC 2 Report now serves as an assurance document for our partners demonstrating that we take thoughtful, appropriate steps to protect our systems and data. Adding tremendous value, it is not simply a snapshot of one moment in time, but rather, a comprehensive overview based on observation over an extended period and the performance of our internal controls. It is an integral element of our security program and builds upon our culture of advancing information security.

In order to achieve the SOC 2, Dwolla started with a solid foundation supported by a thoughtfully developed information security program. This program is based on a number of security-first principles such as security by design, strong authentication, and cryptographic data protection, as well as an integrated, independently tested control framework based on the CIS Critical 20.

One example — Dwolla employees are required to use multi-factor authentication (MFA) based on Duo Security and YubiKey. Putting MFA into practice, our VPN solution requires a username and password, an issued digital certificate, and a one-time password provided by a trusted YubiKey.

What does this mean? Our practice of multi-factor authentication directly supports the SOC 2 Critical Criteria 5.1 for control of logical access.

Dwolla’s SOC 2 journey

Dwolla’s SOC 2 journey started in 2016 with the selection of a trusted, national firm to lead the SOC 2 assessment. Next, the platform system description, control frameworks and approach to security were evaluated.

After this evaluation, there was an observation period, which covered the performance of the control frameworks over 6 months through on-site audits, walk-throughs, and documentation demonstrating operating effectiveness.

The third-party firm conducted subsequent additional observation periods and then the reporting phase began. This phase is when the final report was given to Dwolla for the authorized distribution to our partners.

We are never done

Dwolla will continue to automate, measure, monitor, and improve as we begin the next SOC 2 observation period in 2018.

Dwolla recognizes that security is never done, but rather, it is a process. The SOC 2 Report is a milestone on our journey but is not a final destination. We are proud of our information security program and our continual focus on providing the ideal platform to safely move money.

To request a copy of our SOC 2 Report, please reach out to one of Dwolla’s Account Managers or a member of our sales team.

Or, learn more about Dwolla’s security.

Originally published at www.dwolla.com on January 26, 2018.