We are super excited to announce that we have successfully completed the System and Organization Controls (SOC) 2 Type II Audit examination for our Torii platform.

From day one, security and compliance have been top of mind for our product and development teams. Since Torii manages mission-critical SaaS applications and the data inside them, there was just no question about it. That being said, undergoing an independent third party audit and being officially certified confirms that the product and services Torii provides are mature, robust, and secure and that we are actively creating an organization that supports these goals 🚀.

It also means that our software development processes and practices meet required levels of oversight and monitoring, so that we can proactively monitor, identify and address any unusual activity, remediate it with deep contextual insight, and take corrective actions, if and when they are needed

SOC 2 is a certification developed by the American Institute of Certified Public Accountants (AICPA) that provides a way to measure the operating effectiveness of a company’s controls as they relate to Security, Availability and Confidentiality. 

Preparing for SOC 2 is a company-wide effort. To succeed you need the full support of everyone on the team. It was with that support and dedication that we were able to enter our observation period this year and come out the other side with no exceptions noted.

Takeaways

SOC 2 is becoming the golden standard technology companies must meet today. It applies to nearly every SaaS company, as well as any company that uses the cloud to store its customers’ information. So, along with celebrating this accomplishment, we want to share some observations we made along the way.

We hope that it may help our customers, partners and anyone else looking to take on SOC 2.

Today is as good as any day

For a young, 20-employee company, embarking on the SOC 2 compliance journey may be daunting. It is a time-consuming process that involves almost every aspect of the way you develop your product and conduct you business, making sure that all your ongoing internal practices and procedures are compliant.

But instead of referring to it as a hurdle, we soon realized that, in fact, being a young, agile company was in our favor. Being able to craft things ‘as they should be’ at a very early stage is obviously easier than fixing long-lived ill processes; having all the folks on board, and committed to the success of the process, as is the case in young companies, makes the implementation of any necessary change a breeze. So instead of delaying the challenge, we viewed it as an integral part of our top-priority tasks for the year, and got it over and done with in no time.

Compliance is just the mean, not the goal

Compliance is just one part of the business. It is not the end goal. Neither security nor compliance should run your business or set its goals. Designing good controls means understanding how the business works and then finding creative ways to add those controls into existing workflows. Forcing new work methods in the name of compliance is a dangerous game and, in most cases, not a promising path to follow. You are welcome to introduce some procedural changes, but it’s up to you to make sure you don’t slow down the people who are doing their jobs.

It is not a one-time process but a way of living

The idea here is that the SOC 2 audit isn’t a one-time test, run by going through a checklist. Make sure you truly internalize the policies and procedures you commit to, making them a real part of your corporate attitude. We like to think of it as a marathon rather than a sprint, and as any experienced marathon athlete knows, you are never really done, not even when you cross the finish line. In the back of your mind you’re already evaluating what you could have done differently and how you can improve at your next practice and on your future run.

Automation is the key

The whole idea behind audits and certifications like the SOC 2 is implementing clear procedures and controls. Managing the influx of the information your organization produces every day is a task of its own, where you can hire an army of people, build a troop of robots, or anything in between.

We chose the latter. For us, this was an easy decision as we preach automation and control to the Torii users. So, the same procedures and mind set that we used to plan and develop the Torii platform were applied to the SOC 2 audit planning process. These procedures and principles also form the foundation of the way we run our business and have proved incredibly valuable to the overall process. We built the automation with auditability in mind so that when we have to show what’s going on or prove that a certain procedure is practiced, we just issue the right report.

What's next?

This is just the beginning. Proving that we have the right processes and procedures in place, we now have our sights on additional certifications. We are going full steam ahead because we believe that compliance and security are important drivers for developing our practices to ensure the highest quality of product and services for our customers. Processes like the SOC 2 audit make Torii a much more robust and mature organization with functional, repeatable, and scalable controls.

We are incredibly proud of this accomplishment and we are even happier to be able to share it with everyone. If you are a Torii customer and would like a copy of our report, please contact your account manager.