What is SOC 2 & Why is it important?
SOC 2 or Service Organization Controls 2 is a framework that is governed by the American Institute of Certified Public Accountants (AICPA). With a SOC 2 audit, an independent service auditor will review an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC 2 report communicates a company’s commitment to data security and protection of customer information.
Improving your security posture
SOC 2 compliance exemplifies an organization’s commitment to their customer’s trust and is a major milestone towards improving their overall security posture. With increasing cybersecurity threats and data breaches, it is paramount that organizations prioritize information security and the protection of their systems and data. By undergoing a SOC 2 audit, our controls and processes were validated by a third-party who attests to the functioning of the controls relevant to our application.
Why we pursued SOC 2 now
SOC 2 compliance is an integral step in proving to customers, stakeholders, and interested parties that our organization values their trust and has effectively implemented security controls. At our company’s stage, we realized that it was an ideal time to pursue this as it is important to protect data and mitigate potential security risks early and on an ongoing basis.
Hubble's user research tools are used by companies of all sizes ranging from ten person startups to public enterprises. In order to maintain our customer's trust, we decided to obtain our SOC 2 certification so that every customer can rest assured that their data is safe with Hubble and that every system that we run at Hubble will have the most rigorous security standards. Through our commitment to SOC 2, we will ensure that every change that gets introduced within our technology stack and infrastructure is compliant and does not compromise our customer's data and security. Through our compliance partners, we will continue to monitor all our controls and ensure that we are maintaining the highest security standards based on SOC2 guidelines. With our completed SOC 2 report, Hubble will now be able to continue to acquire larger customers so that they can utilize an all-in-one tool for product discovery and research.
Hubble's journey to achieve SOC 2 compliance
Vanta
We partnered with Vanta, the leader in the Trust Management space, to help us automate the collection of our audit evidence. Vanta provides us with the strongest security foundation to protect our customer data.
Advantage Partners
Our audit firm, Advantage Partners, was extremely helpful in creating a seamless audit experience. With their guidance and support, we were able to achieve SOC 2 compliance in a swift, efficient manner.
Process
While SOC 2 can be a big undertaking, our compliance partners streamlined the process. We leveraged Vanta to integrate our key systems and guide us in implementing policies and procedures to quickly become audit ready. Vanta gave us the direction we needed to pursue our compliance journey.
Advantage Partners then confirmed our audit readiness and we kicked off our Type II audit. For the audit, Advantage evaluated the controls we have in place and opined on their state. Shortly after our audit window ended, Advantage Partners drafted and issued our report.
Timeline
One key takeaway is understanding that improving our security posture and achieving compliance is a monumental task. This can be made easier with the right compliance partners but it will take dedicated focus and time from your organization. The readiness period can take the most time but we were able to make compliance a priority to get audit ready in a matter of weeks versus months.
We also found it important to review the audit timeline with Advantage Partners, set an ideal audit date, and then work backwards to be ready in time. However, now that controls are implemented and security is a priority for our team, subsequent SOC 2 audits will be even more seamless.
Lessons we learned
Compliance is not one size fits all and requires a lot of planning and dedication if you want to make sure that your SOC2 audit goes smoothly. Because we are a startup, we needed to make sure that all of our infrastructure components are scalable as our product and customer base continues to grow. Furthermore, we learned that security is a continuous project that needs to be monitored continuously so that our customers can continue to trust our product as they use it in their day to day operations.
We learned that It is easier to implement policies earlier rather than later. Rather than waiting to implement SOC 2 controls, you can get started early so that as the organization grows, you can continue to stay compliant and make sure that the organization can continue to adapt with the right security needs. SOC 2 is becoming table stakes in any sales cycle for even early stage companies and we are very excited to be able to expedite security reviews from our prospects and potential customers.
If you need access to our SOC 2 report or have any questions about our security and compliance controls, please contact us at hello@hubble.team or message our team members in our community.