As of April 2022, LogicLoop has completed its SOC2 Type II audit. LogicLoop is an operations automation tool that allows you to query your business data to trigger alerts and automations. Since we work directly with customer data, security is of the utmost importance. SOC2 is a formal audit verifying that your organization treats data security and privacy policies with the highest standards of information compliance in the industry.
If you’re a technology leader working on a software product that interfaces with sensitive customer data, you’ve likely heard of the SOC2 before and are wondering whether it’s something you should prioritize. Having gone through the process ourselves in the past few months, LogicLoop is happy to share our learnings.
How do I know if SOC2 is something worth investing in?
If the following apply to you, it’s likely that a SOC2 certification will benefit your company:
Because SOC2 can add more process to your organization, it might not be worth it for you if:
When should I invest?
You’ll know it’s the right time to pull the trigger when multiple potential customers ask you about your security policies and/or your SOC2 report in particular. If you have not yet been asked, you might be a little too early in the process and it may be worth prioritizing other aspects of your business first. However, you don’t want to wait too long because you don’t want to risk losing a late stage customer because you weren’t able to provide strong enough evidence of your company’s security practices. While you can certainly DIY your security policies, having an industry standard SOC2 report on hand significantly speeds up the process and will give your customers confidence that you are following best practices.
What types of requirements are part of the SOC2?
The SOC2 covers a wide array of organizational processes and infrastructure security requirements. Here are some examples:
Infrastructure & data:
How much time & resources would the process take?
The answer to this question will vary drastically from organization to organization. Keep in mind that it’s going to be far less painful if you start following best practices earlier in your company’s life rather than later. For early stage startups just establishing their processes for the first time, you can be prepared for SOC2 in a matter of weeks. For larger companies, training employees on new procedures and migrating legacy infrastructure over could be far more time consuming. For example, if your company has been using unencrypted databases for years, depending on how your cloud infrastructure is set up, migrating those databases to encrypted instances can be a painful process. For this reason, LogicLoop invested in SOC2 early on in the company’s life.
I’m interested - what are the next steps?
Luckily, the SOC2 process is a very well trodden path and there are many services out there that can hold your hand through the process. These services will charge anywhere from $5k-$15k/year, but they provide a myriad of ways to support you:
You may also DIY the process yourself to save the money, but unless you are already an expert on SOC2, we generally recommend engaging with a third-party service for support. Given how many requirements there are, expect to be drowning in spreadsheets, documents, and tons of Googling for answers on the internet if you attempt to do it yourself. LogicLoop engaged with SecureFrame for our SOC2 process and it was worth every penny. Other vendors that provide similar services that you can look into include Vanta and Drata.
Finally, expect to pay another $5-$15k for the actual auditors to run the audit. Services like SecureFrame and Vanta can introduce you to auditors that are familiar with working with them, which can help you further speed up the process. Companies typically get a SOC2 Type I Certification first, which specifies that the organization has met the requirements for the audit at a certain point in time, and a SOC2 Type II Certification 4-9 months thereafter to certify that the organization has remained compliant over a period of multiple months. At the end of all this, you get a shiny digital badge and PDF report worth $30,000+. Happy auditing!
We hope this is helpful and if you’re looking to set up alerts and automations to scale your company’s operations, check out LogicLoop!