Modern Digital Business | DocuWare Blog

What Is SOC 2 Compliance and Why Does It Matter?

Written by Joan Honig | Aug 12, 2021

If a colleague mentions “sock two,” they’re not referring to clothing that’s been lost in the wash. The “SOC” in SOC 2 stands for System and Organizational Controls. The certification process was created by the American Institute of Certified Public Accountants (AICPA) with the goal of ensuring that a company’s customer data is protected from unauthorized access and cyberthreats. DocuWare recently achieved SOC 2 Type 2 compliance – and we’re enormously proud of our accomplishment.

DocuWare had already qualified for SOC 2 Type 1 status which proves compliance at a single point in time. This year, we followed up with a more rigorous Type 2 audit that measures ongoing compliance. The audit verified DocuWare’s eligibility to be upgraded to SOC 2 Type 2 status and will take place annually.

How auditors determine compliance

DocuWare was audited by CohnReznick a leading advisory tax firm that specializes in confirming that companies meet the AICPA’s Trust Service Criteria. These criteria are used to evaluate the design and operating effectiveness of internal controls connected to:

Security

The protection of data and systems from unauthorized access by using IT infrastructure such as firewalls, two-factor authentication, endpoint protection and network monitoring tools that prevent or detect unauthorized activity.

Availability

An assessment of network performance levels and monitoring and minimizing potential external threats as well as delivery of appropriate data backup and disaster recovery plans.

Processing integrity

Ensures that systems perform as intended and are free of accidental or unexplained errors or unauthorized activity. This means that data processing operations should be authorized, accurate and reliable.

Confidentiality

Refers to a company’s ability to protect confidential information throughout its lifecycle including capture, processing, retention and destruction. It also encompasses restricting access to customer data to authorized personnel and ensuring the security of information that is protected by laws, regulations, contracts or agreements.

Privacy

An organization’s ability to safeguard personally identifiable information from unauthorized access. Privacy controls include privacy policies and consent management methods.

Teamwork ensured success

Demonstrating that DocuWare fulfilled these criteria was a team effort. Our project team included a senior director of corporate services, a product manager and our compliance manager as well as their staff. While preparing for the audit the DocuWare team defined its scope and mapped our controls to the SOC 2 criteria. The audit process included an in-depth review of company policies and procedures for data handling, tests of our security controls, employee interviews and an overview of data center operations.

Because our systems and procedures have been evaluated by an independent auditor our customers and business partners can be assured that their data will be handled securely. DocuWare maintains the most stringent privacy and cybersecurity standards and partners with service providers who meet the same requirements. SOC 2 certification is also recognized globally which is important to us because DocuWare is used by customers in 100+ countries. For security-conscious businesses like DocuWare, SOC 2 Type 2 compliance is an important business asset that minimizes the risk of data breaches and cyberattacks.