SOC 2 certification: Why the best SaaS platforms don’t write their own report card

Article written by Dan Whitty, Senior Information Security Manager at Award Force.

Any software platform can say it takes security seriously. But a SOC 2 certification means a reputable independent auditor checks months’ worth of evidence to see that it’s actually true.

Shortlisting platforms can sometimes come down to a single differentiator. Two finalists both have polished websites. Both claim their security is enterprise-grade. Both use words like “robust” and “world-class.” One of them, it turns out, wrote those words about themselves. The other had an independent auditor, someone with no stake in the outcome, spend months trying to find holes in their system before arriving at the same conclusion.

Which platform would you trust with your applicants’ data? That, in essence, is what SOC 2 certification is about…the old security adage: trust but verify.

So what does SOC 2 actually stand for?

SOC stands for System and Organization Controls, a framework developed by the American Institute of Certified Public Accountants (AICPA).

SOC 2 is the version designed specifically for technology and cloud-based service companies, and it focuses on how a platform handles the security of the data it holds on behalf of its customers.

For awards management, that data is significant: entrant names and contact details, financial information, evaluation scores, reviewer notes, award decisions. This is data that SaaS services have a duty to protect.

SOC 2 Type 1 vs Type 2: The difference between a promise and a track record

This is where many prospects get confused, and it’s an important distinction.

• A SOC 2 Type 1 report says: At this specific point in time, this platform had the right controls in place. Think of it as an inspector visiting a restaurant kitchen on a single afternoon and confirming the equipment was clean and the food was stored correctly.
• A SOC 2 Type 2 report says: Over an extended period, typically six to twelve months, an auditor observed that those controls were actually working consistently, in practice.

Type 2 is the more rigorous of the two, and the one most customers will expect to see. It’s the difference between a platform that built a secure system and one that has demonstrably run a secure system, day in and day out, under the scrutiny of an independent third party.

What to look for in a SOC 2 certified platform

If you’re evaluating awards management software, here are a few questions worth asking any vendor that claims to be SOC 2 compliant:

• Is it Type 1 or Type 2? Type 2 is the stronger standard. If a vendor only has Type 1, ask when they expect to complete Type 2.
• How recent is the report? SOC 2 audits are typically renewed annually. An audit from several years ago tells you less about the current state of the platform.
• Can you share the report? A credible vendor should be willing to provide their SOC 2 report, or at a minimum a summary, to serious prospects. If they’re reluctant, that itself is a signal.

Award Force and SOC 2

We’ve already handed in our report card once, and we’re currently “sitting the exam again”. Award Force is SOC 2 Type 2 certified, and at the time of writing, our second audit is underway. Because one independent review was never going to be enough for us.

Visit our security centre to learn more.