We just achieved SOC2 Type 1 compliance. Some might ask, why would an early-stage company go through this process? The answer is simple. Our customer’s trust is the most important thing for us. They trust us with their infrastructure data and adhering to the most stringent security standards is our way of earning and maintaining that trust.
SOC2 specifies how to operate a trustworthy business. As such it ranges from how the business should be structured (e.g. what the board of directors does), over change processes (e.g. ensuring that no unreviewed changes are made in production), to data security (e.g., that all data is encrypted at rest). The specific aspects of the standard are accumulated in the Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
The resulting SOC2 report is tailored to the unique needs of each business. Each implementation of SOC2 is different and depends on the specific practices (called controls) chosen to achieve the SOC2 criteria. These reports provide companies and their regulators, business partners, and suppliers, with critical information about how the organization operates.
We have a number of lessons along the way. Let me summarize the key lessons in this blog post.
We started our compliance journey right after I was hired with SOC2 being my ramp-up project. I was the first hire after the founders, so this was early for most companies, but we wanted to ensure we are instilling best practices from day one. To follow through with certification demonstrates our commitment to best practices as we continue to scale.
For those of you that are thinking about SOC2 compliance, it’s important to note that SOC2 doesn’t only help with demonstrating good practices to customers, but also provides a checklist of technical aspects as well as company processes that need to be established to scale. Establishing those early with fewer employees is easier (e.g. fewer people need to review and agree to new company policies), and sets us up for success as we grow the company.
Chkk’s product is applicable for companies of all sizes, from newly created businesses to scaled enterprises. Of course, compliance expectations differ greatly from org to org based on needs and size. As we work hands-on with scale-ups and enterprises, they expect us to check all boxes. SOC2 compliance addresses most (if not all of them) and shows that we are sincere in our offers. As such, SOC2 is not a differentiator anymore today but table stakes without approaching such customers is very complex if not impossible.
Put yourself in the shoes of the person you are selling your product to. Would you prefer for them to have to share one prepared PDF with their security/legal teams (the SOC2 report), or manage multiple questionnaires back-and-forth to get to use your product?
We strive for best practices in everything we do at Chkk throughout the entire business. We have a good amount of experience designing systems and organizations at Chkk, and have seen these practices working in multiple iterations. With that being said, it’s incredibly helpful to get an outside opinion on our implementation at Chkk. This replaces our best intentions, with clear feedback and confirmation of our compliance with these important aspects. Becoming SOC2 compliant gives us further peace of mind that we are on the right track going forward.
At the core SOC2 is a set of goals and practices to be implemented. In the technical realm, most of them can be automated and thereby offloaded from any individual’s consciousness. We partnered with Vanta, the leader in continuous compliance monitoring, to get this automation into Chkk and ensure we are following our guidelines now – as well as in the future. Vanta streamlines the process by automating the collection of up to 90% of the evidence companies need to prove their compliance, and providing clear guidance for and one place to upload the rest. Vanta helped us prepare for SOC2 audits in weeks rather than months.
We also partnered with Johanson Group LLP for the audit. They had extensive expert knowledge and provided us individualized attention throughout the audit, which allowed us to complete the audit quickly.
If you’re interested in working with Chkk, a SOC2 compliant company, you can click here to get early access.