See the latest news and insights around Information Governance, eDiscovery, Enterprise Collaboration, and Social Media. 

All Posts

Pagefreezer Is SOC 2 Type 1 and 2 Compliant

I’m extremely proud to announce that Pagefreezer is now SOC 2 Type 1 and Type 2 compliant. We have always made use of compliant data centers to store information, but over the last year our organization itself has now gone through the rigorous SOC 2 auditing process to achieve compliance. 

Pagefreezer Is SOC 2 Type 1 and 2 CompliantThis is yet another crucial step in our ongoing commitment to the protection of customer data, proprietary information, and personal data. By attaining ISO 27001:2013 certification last year, we showed that we’re doing everything we could to protect the confidentiality, integrity, and availability of information, systems, and services. Having now gone through the full SOC 2 auditing process as well, we can further demonstrate that we have the necessary controls in place to mitigate the risks inherent to the service we provide, and we can better measure how we conduct and regulate the information we manage.

What Is SOC 2?

Where ISO is a recognized framework for implementing an effective information security management system, SOC is a more detailed assessment with a customer-focussed approach that looks at the logical and physical controls a service organization has put in place. It examines how the company controls and limits access to data, how those users are authenticated, and how any inappropriate activity is reported and managed.

SOC stands for System and Organization Controls, and was developed by the American Institute of Chartered Public Accountants (AICPA). It is governed by this accounting institute because it originally started with SOC 1, which examines a service organization’s controls related to the potential audit of a customer’s financial statements. SOC 2, however, reports on the effectiveness of security controls created by a service organization to protect the security and confidentiality of information.

SOC 2 defines criteria for service organizations to manage customer data based on five  Trust Services Principles and the outcome of the audit process is an independent auditor’s SOC 2 report.

Saying that, it’s important to distinguish between SOC 2 Type 1 and Type 2. Type 1 is a point-in time audit reporting that organizational controls are adequately designed to meet the trust services requirements at the time of the report—we received this Type 1 report in October 2019. Type 2  is a full audit involving examination and testing of the controls described. It reports results of the operating effectiveness of the controls over a period of time.

Why SOC 2 Compliance Is Important

Our goal is to offer transparency by providing a third-party's detailed account of Pagefreezer’s controls related to security and confidentiality.

Many organizations offer security policies and practices on their websites. But if these are self-reported, a customer has no real insight into the efficacy of the controls. ISO 27001 certification and a SOC 2 report provide third-party evidence that Pagefreezer is living up to our security commitments. 

Potential customers often have questions about our security policies; about how we respond to incidents, protect data, and control access. The SOC 2 report is a lengthy and detailed document that offers answers to these questions and the opportunity to understand our company, the systems we have in place, our operations, and our technical controls. They can then use this information to assess risk and know they’re making the right choice in Pagefreezer as a vendor. Our SOC 2 Type 2 report also gives existing customers assurance that the controls we have in place are implemented and operating effectively to meet the criteria for security and confidentiality of their data. 

The SOC 2 Audit Process

In Pagefreezer’s case, the independent auditor’s report is a lengthy 125-page document. It attests that Pagefreezer has put in place controls for information security and confidentiality that are suitably designed (according to the trust services criteria), and that after in-depth testing and examination, these controls operated effectively throughout the review period. 

The report provides a detailed description of the controls in place that meet the SOC Trust Services Criteria, including the product and services we provide, our corporate oversight and internal corporate governance, descriptions of our infrastructure and systems, the technical safeguards in place, vendor management, risk management, and policies and procedures in place for management of security and confidentiality across the organization.

At the start of the process, we provided descriptions of controls—every aspect of the company and policies and practices in place—and these were reviewed to make sure controls were adequate. We then provided evidence, as requested, covering a three-month period. Our Security Team and process owners for all control areas took part in an inquiry process with the auditors who observed processes, inspected systems and records, and tested controls. After this period, the audit company then provided feedback and created the report based on evidence provided and our descriptions of systems. The auditor found that we met all the criteria and that there were no exceptions in our test results.

Tips for Preparing a Company for SOC 2 Audit?

For more information about security at Pagefreezer, please visit our Security Page. Below I’ve also put together some tips for any company preparing to embark on certification:

  • Be diligent when choosing an auditor. Finding a CPA firm whose auditors also have the right technical knowledge and experience relevant to your business can streamline the lengthy auditing process.
  • Take time to train and educate employees across the organization in your security policies and expectations, as their compliance in day to day operations of the company will be closely examined.
  • Put a dedicated security team in place to coordinate with SOC auditors, understand expectations and prepare your team - far before the examination process begins.
  • Prepare process owners from across your organization. Its likely members from finance, HR, operations, customer experience to IT will be asked to contribute in the SOC auditing process.
  • Maybe you’ve implemented great security practices and controls, but for SOC 2 you also need to be able to prove their effectiveness, so you’re going to need good evidence! Keep logs, reviews, and records of all the work your security team and entire organization is doing over time.
Michael Riedijk
Michael Riedijk
With more than 20 years of experience building successful technology companies in Europe and North America, Michael Riedijk is recognized as a leading innovator in compliance technologies. Originally from The Netherlands, Michael relocated to Canada and launched Pagefreezer in 2010.

Related Posts

We’re (Still) Hiring! Here’s How to Ace Your Interview at Pagefreezer

The COVID-19 pandemic is, amongst many deep global impacts, reshaping the world of work. Many organizations have turned to 100% work-from-home models, using enterprise collaboration tools for the first time and engaging in valuable discussions around employment and labor policies.

10 Forms of Online Harassment Your Government Agency Should Look Out For

If you’re a public information officer (PIO) or government social media manager, you’re undoubtedly very familiar with angry comments on your official social media accounts. Whenever members of the public are angry or frustrated, an official government social media account is the first place they’ll head to make their displeasure known. 

5 Ways Organizations Can Leverage Team Collaboration Tools in Times of Crisis

As both government organizations and private-sector companies deal with the realities of a global pandemic—specifically the need to get crucial work done with a distributed, remote workforce—team collaboration tools are proving to be incredibly valuable.