SOC 2 Certification: What It Is and Why We Got It

There are a lot of ways to have fun with data. The breadth of information that’s available can lead to some outrageous analysis, like why vegetarians miss fewer flights or the famous Spurious Correlations website. At ThinkData, we celebrate the fun stuff – but we also take the serious stuff seriously. That’s why we made it a priority to become SOC 2 certified.

Can't data security be fun, too?

That's a fair point, data security can be fun – provided you’re on the winning side, following the rules and best practices. If not, things become significantly less fun. As a global average, the cost of a data breach in 2020 was $3.86M, and for the US specifically, it was $8.64M. 

The enterprise is waking up to this need, as there was a nearly twofold increase in the percentage of companies investing in data and AI from a defensive stance, with risk mitigation a likely driver.

How much will data security cost?

We’ve seen the price tag for ignoring data security – but surely there’s a cost associated with implementing these complex systems and rules, right?

There absolutely is. But the more important thing is the results. The benefit of investing in security is that companies saw a 1.9X return on investment for privacy spending in 2020, according to a Cisco report.

What is SOC 2 certification?

The AICPA created Service and Organization Controls (SOC) standards against which companies could be measured. There are specialized, company-specific criteria for how an organization manages and responds to issues, maintains confidentiality and privacy, processes data and ensures its integrity, and a host of other process-centric components.

In being evaluated, companies must prove that they meet and exceed the standards set out by the AICPA under their Trust Services Criteria. The five broad categories for these criteria are: Privacy, Security, Availability, Processing Integrity, and Confidentiality.

Why is SOC 2 certification important?

Trust is one of the best reasons to get SOC 2 certification. When a service provider has gone through the process of getting certified, it’s empirical proof that they’re following industry best practices and that they have protocols in place to ensure the overall quality and security of their services.

There’s an added benefit of standardization and recording of your internal procedures. It’s a good exercise for companies to formally codify their incident management protocols and privacy standards, for example, so that there’s a gold standard, and a place to point new employees in the onboarding process.

What are Trust Services Criteria?

Trust Services Criteria (TSCs) are the individual standards that a company has to meet in order to fulfil the requirements of SOC 2 certification. The TSCs are grouped into categories, which, at a quick glance, can look somewhat vague, and definitely interrelated. Each of these five categories defines a specific section of evaluation criteria.

Security: Protection measures are put in place to ensure that there’s no unauthorized access of information or systems, including unauthorized disclosure of information. Security also ensures protection from damage to systems that could compromise a company’s ability to meet its objectives while maintaining standards in the other 4 categories.

Availability: Simply, there needs to be a method of access for privileged members of the organization to access the information. Ultimate security would be a hard drive buried thousands of miles underground that nobody can access. Availability ensures that the information is actually usable.

Processing integrity: Each evaluation is tailored to the applicant’s specific line of business and method of operation, but broadly, the information flowing through the organization needs to be complete, accurate, valid, and current, and the organization must have a basis for processing this information.

Confidentiality: Sensitive information must be protected in a way that supports the objectives of the organization. This is fairly straightforward – the applicants need to demonstrate that they can handle confidential information in a way that keeps it confidential.

Privacy: This category speaks largely to the processing of personal information, ensuring that the organization has a legal basis for accessing this information. They must collect, use, retain, and discard it in a fitting manner in order to fulfil privacy requirements.

Why did ThinkData Works get SOC 2 certified?

The organizations we work with span a wide range of industries, and with that comes a wide range of needs. It was important to us to be able to demonstrate that we are following industry best practices, and the best way to do this was through third-party evaluation. 

By meeting the stringent requirements set out by the AICPA, we can easily show that we have put in place the proper protocols, infrastructure, and protections required to conduct business on an enterprise level.

The important part of SOC 2 certification is its acceptance as an industry standard. When somebody wants to drive, they pass tests to get their licence. In the same way, we’ve got a “licence” that says we know how to run our business responsibly and handle information with due consideration to its protection and integrity. Could we prove it item-by-item to every client every time? Absolutely – but SOC 2 is a standard way to prove it efficiently. 

Data security is key

We are true believers that the first considerations in any digital transformation efforts should always be around data protection. It’s possible to find workarounds and pivots when it comes to the delivery vehicle or the teams, but security must be unwavering. 

Our hope is that current and new regulations steer every industry towards a standard of responsible data management. It allows companies to build consumer trust, to safeguard their business, and to ensure that data is used and governed responsibly, avoiding very costly fines.

ThinkData’s platform is designed to ensure that the organizations who use it have the tools to solidify their data security practices, including residency requirements, access controls, and auditing capabilities. Our tools contribute to that big ROI mentioned earlier, and we're very proud of that.

We’re building tools that power sustainable data operations, and with this SOC 2 certification, we’re happy to say that we practice what we preach.

Does your business need a data catalog to find, understand, and use trusted data to drive business outcomes? Reach out to start learning how to get more out of every data point in your organization.