SaaS Companies and SOC 2 Compliance
SOC 2 compliance is a crucial for Software as a Service (SaaS) companies today. Just like other compliance mandates, it’s not so simple. Rather it’s a set of complex requirements that must be reviewed.
SOC 2 Compliance
In today’s world, security breaches have become commonplace, and it’s vital that companies embed security into their daily culture. And as it stands today, most attacks are caused by preventable loopholes in software. This means that most breaches can be easily prevented by following a standard and routine set of security practices.
Thankfully, there is guidance in creating secure web platforms. There are sound compliance certifications and standards including SOC, PCI, and HIPAA that have been setup to help companies meet the dynamic and evolving risks facing customer data.
In response to our customers needs for data security, PipelineDeals is pleased to announce that it’s recently been awarded its SOC 2 security compliance certification.
While the certification is important and verifies our commitment to protecting customer data, what is even more valuable is our belief in strong security practices as a regular part of business.
Investments in sound software engineering and development practices deliver business value to end users of our software. The same goes for investing in security tools, training, and methodologies to help keep data in your hands.
At PipelineDeals, we put our customers first. Therefore, we store their data like bank deposits in a vault.
There are several essential pillars to creating a secure web applications that are at the heart of SOC 2 compliance. As a 100 percent cloud based company, we rely on web based software for every aspect of our business, in addition to the software we provide to our customers.
To do this safely, we leverage Amazon’s commitment to securing the cloud by taking advantage of the many tools they provide.
The first place any security practice needs to start is at the front door—the network firewall. Luckily, we leverage Amazon Web Services (AWS) Virtual Private Cloud capabilities to block off any unwanted traffic.
Encryption in Transit and at Rest
This essentially means that once your data leaves your browser, it will remain encrypted from that point, as it enters our systems, and every time it is written to disk (think system backups). At no point, whether you’re accessing PipelineDeals or not, will your data be exposed and readable.
A routine part of our security practice is to regularly review all of our systems and inspect for vulnerabilities. If anything is found, a plan is created to mitigate or eliminate it. We do this internally, as well as leverage third party security service providers to help.
In order to find potential vulnerabilities before others do, we utilize third party security testers to try to “penetrate” our platform on a regular basis. They provide us with reports of potential weakness for us to reinforce.
Server Vulnerability Detection, Intrusion Detection, and Patch Management
The digital security environment is a constantly evolving landscape. Because of this, new threats are always emerging. An essential part of any IT system has got to be leveraging a security service provider to provide real time updates to the latest vulnerabilities.
We’ve partnered with Threatstack to monitor all the servers in our cloud for new vulnerabilities as well as malicious and suspicious activity. The system sends alerts to our team in real time, so risks can be addressed.
Software Development Security Practices
In the past, security was left to specialists in IT and wasn’t a focus for software engineers. In today’s world, it is imperative that software engineers also be highly knowledgeable in security practices. They need to know how to address and prevent a wide variety of malicious code and overt attacks.
PipelineDeals provides regular ongoing security training to our engineering staff. We also built security scanning into our continuous integration processes where we check all new code for newly introduced security bugs. Without a clean bill of health, new code cannot be deployed until the vulnerability is resolved.
PipelineDeals SOC 2 Certification
We are proud of our SOC 2 certification, and look forward to continuing to expand our security footprint. Because we embed security into our craft and culture, creating secure software is an ongoing part of what we do.
Data is the currency of the digital age. Because of this, it’s value is much like money, and needs to be protected in much the same way. Being responsible for our customers information is a core part of who we are at PipelineDeals.
By Jeff Oberlander, VP of Engineering at PipelineDeals