What SOC 2 Means for Securing our Customers’ Data

Merge is a leading provider of Human Resource (HRIS), Payroll, Recruiting (ATS), and Accounting integrations for B2B companies. In this article, we outline why we chose to prioritize securing customer data via SOC 2 early on at Merge, how we went about securing our certification, and how SOC 2 has helped us since.

Unblocking Enterprise Sales

SaaS sales are hard. The evaluation cycles are lengthy, and as you start selling to larger customers, each stage of the process takes longer and longer. Going up-market means more stakeholders to convince, procurement that follows tighter policies, and vigorous security reviews (network diagrams, encryption methods, underwear color, load balancer capacity, etc.), leaving no room for error.

Fortunately, the security review phase has a solution. Follow a security-first model, like we did here at Merge, and get your SOC 2 before storing a single piece of customer data.

The Startup Security Problem

Prior to starting Merge, I led the engineering team at Jumpstart, a diversity hiring platform doing incredible things in the world of DE&I. Initially, we had no trouble with security reviews.

As we grew out functionality and naturally started selling to larger customers, the 200-question security reviews began. Despite always following a rigid security model, we’d be stuck in a customer’s security review for months. Even so, companies could ignore our industry-leading security answers and simply reject us.

As an early-stage tech company, our answers to customer questions about security simply weren’t enough. We could describe our data as being completely air gapped and stored on Mars, but it didn’t matter.

Our woes didn’t last for long, however. We soon discovered SOC 2.

What is SOC 2?

SOC stands for Service and Organization Controls. It is a standard that defines five “trust criteria”: Security, Confidentiality, Processing Integrity, Availability, and Privacy.

If you’ve completed security reviews during a sales cycle, you’ll recognize many of the requirements, especially within the Security trust criteria. Most companies do not seek to be audited for all criteria, and stick to the ones most relevant to their product’s needs. The most common among growing startups are Security, Confidentiality, and Availability.

There are a series of requirements ranging from ensuring proper code reviews and durable load balancers to ensuring new employees complete background checks. These principles are defined quite generically, so working with a readiness platform for guidance is essential.

How to Become SOC 2 Compliant

Only a few years ago, obtaining a SOC 2 report was a lengthy back-and-forth process with some of the world’s oldest consulting firms. For hours, you would have to sit there gathering each and every piece of evidence they asked for. Accumulating hundreds of screenshots across equally as many platforms is a lengthy, anxiety inducing process. After handing off the evidence, you sit and wait with little insight, just to receive a report back potentially listing numerous “exceptions” (aka violations).

That experience is antithetical to Silicon Valley’s love for self-guided and automated platforms. Naturally, a generation of SOC 2 readiness platforms were built to help prepare for easy and automated security auditing.

A good SOC 2 readiness platform should:

1. Provide tooling to assist with time-consuming tasks.
   Why write 20 internal policies if they can be generated for you? You should be able to modify provided templates rather than start from scratch. Utilize provided inventory/laptop monitoring, security patch software, progress report generators, and more. These tools combine to make achieving SOC 2 compliance a breeze.
2. Automate tracking compliance by integrating with as many vendors as possible.
   For example, integrations with cloud software providers to track the usage of load balancers and antivirus software, integrations with ticketing systems to ensure proper vulnerability tracking, and integrations with identity management providers to monitor employee access to various other services.
3. Show a clear outline of the overall requirements and your progress.
   There are hundreds of requirements. If you don’t have a clear idea of what you’ve completed and what’s left, you’re going to be lost and confused about your progress.

One of our favorite customers and partners is Drata, a platform built from the ground-up to support companies seeking their SOC 2. They offer integrations with many common providers (which they’ve managed to build with Merge’s help!), and have a rich and robust purpose-built platform.

Start Now

Startups can never start the SOC 2 process early enough. At Merge, we made it our goal to receive our SOC 2 report before ever storing a piece of customer data. As a result, we’re confident that we follow the best industry standards. The security of our customers’ data is our top priority, and the external validation of our processes and procedures lends us even more confidence.

Seeking our SOC 2 out the gate also made the preparation and audit process two to three times easier than in our past experiences. We put industry-leading standards in place before we ever enabled a wild-west culture.

In part due to our high emphasis on security, Merge is a leading provider of Human Resource Information System (HRIS), Application Tracking System (ATS), payroll, and accounting integrations. Companies ranging from startups to enterprises trust us to process millions of data points, enabling their developers to integrate once to offer customers 30+ integrations.

Sign up free here to check us out or email us at hello@merge.dev! We’re also always happy to hop on a video call.