SOC 2 Compliance
SOC 2 Compliance is the adherence to a security framework developed by the AICPA, verified through an independent audit, that confirms a service organization like Surfly maintains strong controls over information security, availability, and confidentiality.
What you need to know about SOC 2 Compliance
SOC 2 (System and Organization Controls 2) is a reporting framework for service organizations developed by the American Institute of Certified Public Accountants (AICPA). It is designed to provide detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
A SOC 2 audit is performed by an independent Certified Public Accountant (CPA) firm. The result is a report that describes the service organization’s systems and assesses how well its controls are designed and operate. The framework is built on five Trust Services Criteria (TSCs):
- Security (Common Criteria): The system is protected against unauthorized access, use, or modification. This is a mandatory criterion for any SOC 2 report.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.
There are two types of SOC 2 reports:
- Type I: Reports on the design of controls at a specific point in time.
- Type II: Reports on the operational effectiveness of those controls over a specified period (typically 6-12 months), providing a higher level of assurance.
How Surfly Achieves SOC 2 Compliance
Surfly's SOC 2 compliance is verified through an audit conducted by the independent CPA firm, Insight Assurance LLC. This process results in a SOC 2 Type II report, which provides a third-party opinion on Surfly’s security. The report confirms that Surfly's description of its system is accurate and that its security controls are both suitably designed to meet its objectives and operated effectively throughout the audit period.
This is achieved through a combination of Surfly's architecture and internal organizational processes that address the Trust Services Criteria:
- Security: Surfly's architecture includes a zero-storage design, meaning customer session data is not stored at rest on its servers, greatly reducing the attack surface. Access to production environments is strictly controlled through role-based permissions and multi-factor authentication. The company also engages in continuous vulnerability scanning and regular penetration testing.
- Availability: The platform is built on a high-availability infrastructure across multiple geographic regions, using providers like AWS, Hetzner, and LeaseWeb. This design ensures service continuity and resilience. Automated monitoring and alerting systems track platform health, allowing for quick response to any potential issues.
- Confidentiality: Surfly’s Interaction Middleware enables features like Field Masking, which programmatically redacts confidential information from an agent's view. All data in transit is protected with strong TLS 1.3 encryption. These technical controls ensure that customer data remains confidential throughout a co-browsing session.
- Internal Processes: Compliance is supported by company-wide policies covering information security, incident response, change management, and employee security awareness training. These documented procedures are regularly reviewed and audited as part of the SOC 2 Type II examination.
The importance of SOC 2 Compliance
A SOC 2 report is a major component of vendor due diligence for many organizations, especially in technology, finance, and healthcare.
Business and Security Benefits
- Independent Security Validation: A SOC 2 report provides customers with a detailed, third-party assessment of a vendor's security, offering a higher level of trust than a self-assessment.
- Streamlined Vendor Reviews: For enterprise customers, receiving a vendor's SOC 2 report can significantly shorten the procurement and security review cycle, as many of their security questions are already answered in the report.
- Demonstrates Mature Security: Achieving and maintaining SOC 2 compliance shows that a company has a mature, well-documented, and consistently managed security program.
- Meets Enterprise Requirements: Many large companies have a policy that they will only work with key vendors that are SOC 2 certified, making it a prerequisite for doing business.
A Practical Example of SOC 2 Compliance
Frequently asked questions about SOC 2 Compliance
We’ve compiled answers to the most frequently asked questions about
SOC 2 Compliance
.
Surfly maintains a SOC 2 Type II report. This provides a higher level of assurance because it assesses the operating effectiveness of Surfly's controls over a period of time, not just their design at a single point in time.
Surfly's SOC 2 report contains confidential information and is available to current or potential customers upon request and under a Non-Disclosure Agreement (NDA).
Surfly's SOC 2 report provides an auditor's opinion on the Security criterion. The report also contains descriptions of controls relevant to Availability and Confidentiality, which are suitable for customers in regulated industries needing assurance that the service is secure, will be available when needed, and will protect their data.
Surfly's proxy-based, zero-storage architecture is a key security control that helps meet the Security and Confidentiality criteria. By processing data in-memory and not storing it at rest, the architecture inherently limits data exposure and simplifies the controls needed to protect it, which is a positive factor in a SOC 2 audit.