Lessons learned from maintaining the SOC 2 Type 2 certification over the years

Here at Release we like to say “move fast and break fewer things”. As a startup we experiment, iterate, and bring our ideas to the market faster than most mature companies. However, our speed never comes at the expense of security, compliance, and customer trust. Our customers entrust application environment creation to the Release platform. This means they test, stage, and run their applications in production using our Environments as a Service platform. Although all workloads live in the customers’ own cloud account, we facilitate and orchestrate the underlying infrastructure, so making sure our services meet and exceed security standards is non-negotiable for us.

To demonstrate our commitment to secure practices, we obtained the SOC 2 Type 2 certification back in 2021 and maintain it to this day. SOC 2 is a major undertaking for any company, and many startups wonder if it’s worth the effort early on. For us, it was a team effort that ultimately made us rethink our practices and the culture we were building as a company. Here are some lessons we learned throughout the process that could help you decide if the SOC 2 stamp of approval is appropriate at your stage of growth.

What is SOC 2 and why it matters?

Service Organization Controls (SOC) 2 is a compliance report standard defined by the American Institute of Certified Public Accountants (AICPA). SOC 2 reports are issued by an independent third-party CPA after a thorough audit that demonstrates how a service organization achieves key compliance controls and objectives. SOC 2 reports focus on non-financial reporting controls that relate to the security, availability, processing integrity, confidentiality, and privacy of a system. Ultimately these reports help users evaluate the risks associated with the evaluated service.

You typically hear about SOC 2 Type 1 and Type 2 reports. The key differences between them are the timing and depth of the audit. Type 1 reports on the suitability of design controls at a specific point in time, while Type 2 assesses the operational effectiveness of these controls over a period, usually a minimum of six months. Most organizations prepare for Type 1 assessment, while simultaneously starting to collect the data for the Type 2 assessment to follow shortly after.

SOC 2 Type 2 compliance involves a rigorous process that includes designing controls to meet Trust Service Criteria, implementing these controls, and then undergoing a thorough audit by an independent CPA to prove all controls are working as intended.

The five Trust Service Criteria crucial for SOC2 Type 2 certification are:

• Security: Protection of system resources against unauthorized access.
• Availability: Availability of the system as agreed upon in the contract.
• Processing Integrity: Completeness, validity, accuracy, timeliness, and authorization of system processing.
• Confidentiality: Protection of confidential information as committed or agreed.
• Privacy: Collection, use, retention, disclosure, and disposal of personal information in conformity with an organization's privacy notice

When startups take this process seriously, they build resilient internal processes and standards that keep their customers safe, and set them up for success.

What did we learn from our SOC 2 Type 2 journey?

After going through the initial audit, and completing subsequent evaluations here are a few things we learned, that might help other startups:  

✅ Start early. The best time to start the SOC 2 preparations is before you have paying customers and even employees. It sounds early, but the sooner you set the foundation for consistent secure practices, the easier it will be to maintain them. The initial assessment identifies existing controls and shows you the gaps in your current setup (believe it, you will have gaps, so better catch them before anyone is affected), and gives you an opportunity to course correct. Many of our early customers required us to have a SOC 2 certification before signing contracts to use our services, so it was a blessing to already have one in hand to get started with actual paying customers!

✅ Team effort. Based on the assessment, specific controls are implemented. These range from physical security measures to IT governance and data encryption practices. This is an all-hands-on-board effort where everyone cleans up their shop. Once you set the foundation, ongoing compliance becomes standard operations for the company. When the time comes to show evidence of implemented controls, you know you did things right.

✅ Automate evidence gathering. Even the most diligent teams can get stressed when asked to provide specific evidence on the spot. Automating your evidence collection, vendor management and security policies makes the process run much smoother come the audit time. Tools like Drata and Vanta centralize and automate control monitoring, reduce the manual toil and give you real-time visibility into your security posture during and between the audits.

✅ Learn and improve. Use the findings from the recurring pen tests to build a more resilient and safer product. The security landscape changes quickly and the guidance for SOC 2 also changes year to year. Make sure to keep track of major developments and use the monitoring features in your compliance tools to keep track of your updated posture.

✅ Set the budget. As you head into the next budgeting cycle, make sure to set aside the funds compliance. Between the tools, the auditor fees, the pen tests and any remediations you will need to make, there will be a cost associated with getting “the stamp”. But make sure to spend your money wisely. Choose a reputable firm and get industry-tested tools. This is not the time to look for a bargain.

In conclusion, is SOC 2 Type 2 certification worth it?

Short answer: Yes.

Security and compliance is not why any of us build startups (unless you’re Drata or Vanta), but it’s the reason why we stay in business. When our customers trust us, we can keep on innovating. Taking the time and putting the effort into validating the safety, security, and integrity of our products gives our customer peace of mind and allows them to rely on the services we provide. After all, customers are running their application environments in Release and we take that responsibility seriously.