DocuWare continues to be the world's leading Cloud technology for Enterprise Content Management. At DocuWare we view Innovation, Architecture, Security, Integration and Scalability as core segments of technology leadership in ECM – and today we are happy to announce that as of August 15, 2016, we have gained SOC 2 Type 1 certification for DocuWare Cloud. Our SOC 2® report gives full transparency into DocuWare’s industry-leading controls and procedures ensuring the security and availability of DocuWare Cloud, which have been independently assessed and attested to by 3rd parties. What does SOC 2 mean to you?
You can rest assured that every aspect of DocuWare Cloud meets rigorous standards as outlined by the veritable cloud standards authority, the American Institute of Certified Public Accountants (AICPA), not only in our Software - but also in our Infrastructure, Procedures, Handling of Data, and Personnel.
SOC, or Service Organization Controls, are a series of standards that focus on a service organization’s controls relevant to security, availability, processing integrity, confidentiality, and/or privacy.
In the past many organizations used SAS 70 reports to ensure compliance with best practices for handling of financial reporting. SOC supersedes the SAS 70 standard, and the SOC 2 reports focus on service organizations, such as Cloud Software (SaaS) providers.
SOC 2 has several “Trust Principles”, the most relevant to DocuWare Cloud customers are Security and Availability. AICPA defines the Security Trust Principle as “The system is protected against unauthorized access, use, or modification”. To ensure this there are 7 general categories of criteria a service organization must adhere to:
1) Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.
2) Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.
3) Risk management and design and implementation of controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.
4) Monitoring of controls: The criteria relevant to how the entity monitors the system, including the suitability, and design and operating effectiveness of the controls, and takes action to address deficiencies identified.
5) Logical and physical access controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.
6) System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.
7) Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.
When it comes to security, DocuWare has spent a quarter century developing products that protect our users from data and document loss while ensuring that only authorized users can access the information they are supposed to. Today we are happy to have our systems attested to through the most rigorous industry standards by independent 3rd parties, and giving our customers the peace of mind that their data is safe in the DocuWare Cloud.