SOC 2 Compliance

SOC 2 (System and Organization Controls 2) is a reporting framework for service organizations developed by the American Institute of Certified Public Accountants (AICPA). It is designed to provide detailed information and assurance about the controls at a service organization relevant to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

A SOC 2 audit is performed by an independent Certified Public Accountant (CPA) firm. The result is a report that describes the service organization’s systems and assesses how well its controls are designed and operate. The framework is built on five Trust Services Criteria (TSCs):

• Security (Common Criteria): The system is protected against unauthorized access, use, or modification. This is a mandatory criterion for any SOC 2 report.
• Availability: The system is available for operation and use as committed or agreed.
• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
• Confidentiality: Information designated as confidential is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.

There are two types of SOC 2 reports:

• Type I: Reports on the design of controls at a specific point in time.
• Type II: Reports on the operational effectiveness of those controls over a specified period (typically 6-12 months), providing a higher level of assurance.

How Surfly Achieves SOC 2 Compliance

Surfly's SOC 2 compliance is verified through an audit conducted by the independent CPA firm, Insight Assurance LLC. This process results in a SOC 2 Type II report, which provides a third-party opinion on Surfly’s security. The report confirms that Surfly's description of its system is accurate and that its security controls are both suitably designed to meet its objectives and operated effectively throughout the audit period.

This is achieved through a combination of Surfly's architecture and internal organizational processes that address the Trust Services Criteria:

• Security: Surfly's architecture includes a zero-storage design, meaning customer session data is not stored at rest on its servers, greatly reducing the attack surface. Access to production environments is strictly controlled through role-based permissions and multi-factor authentication. The company also engages in continuous vulnerability scanning and regular penetration testing.
• Availability: The platform is built on a high-availability infrastructure across multiple geographic regions, using providers like AWS, Hetzner, and LeaseWeb. This design ensures service continuity and resilience. Automated monitoring and alerting systems track platform health, allowing for quick response to any potential issues.
• Confidentiality: Surfly’s Interaction Middleware enables features like Field Masking, which programmatically redacts confidential information from an agent's view. All data in transit is protected with strong TLS 1.3 encryption. These technical controls ensure that customer data remains confidential throughout a co-browsing session.
• Internal Processes: Compliance is supported by company-wide policies covering information security, incident response, change management, and employee security awareness training. These documented procedures are regularly reviewed and audited as part of the SOC 2 Type II examination.

A SOC 2 report is a major component of vendor due diligence for many organizations, especially in technology, finance, and healthcare.

Business and Security Benefits

• Independent Security Validation: A SOC 2 report provides customers with a detailed, third-party assessment of a vendor's security, offering a higher level of trust than a self-assessment.
• Streamlined Vendor Reviews: For enterprise customers, receiving a vendor's SOC 2 report can significantly shorten the procurement and security review cycle, as many of their security questions are already answered in the report.
• Demonstrates Mature Security: Achieving and maintaining SOC 2 compliance shows that a company has a mature, well-documented, and consistently managed security program.
• Meets Enterprise Requirements: Many large companies have a policy that they will only work with key vendors that are SOC 2 certified, making it a prerequisite for doing business.