DCTR-02

Is a SOC 2 Type 2 report available for the hosting environment?

Explanation

This question is asking whether a SOC 2 Type 2 audit report is available for the datacenter or hosting environment where your service/application runs. A SOC 2 (Service Organization Control 2) Type 2 report is an independent audit report that evaluates a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy over a period of time (typically 6-12 months). Unlike a Type 1 report which only assesses the design of controls at a specific point in time, a Type 2 report verifies that these controls were effectively operating over the entire audit period. This question is being asked because organizations want assurance that the physical infrastructure hosting their data meets industry security standards. Having a SOC 2 Type 2 report demonstrates that your hosting provider has undergone rigorous third-party validation of their security practices and that these practices have been consistently followed over time. When answering this question: 1. Be clear about whether the report exists 2. Specify which entity was audited (your company or your hosting provider) 3. Indicate how recently the report was completed 4. Mention if the report can be shared (typically under NDA) 5. Note any significant findings or exceptions in the report if applicable

Example Responses

Example Response 1

Yes, our hosting environment is provided by AWS, which maintains SOC 2 Type 2 compliance Their most recent SOC 2 Type 2 report was completed in December 2023 and covers all regions where our application is deployed We can provide access to AWS's SOC 2 Type 2 report upon request, subject to a non-disclosure agreement (NDA) The report showed no significant exceptions related to the security controls relevant to our service offering.

Example Response 2

Yes, our company maintains SOC 2 Type 2 compliance for our private datacenter operations where the solution is hosted Our most recent audit was completed in March 2023 by Ernst & Young, covering the period from January 2022 to December 2022 The report addresses all five trust service criteria (security, availability, processing integrity, confidentiality, and privacy) We can provide the full report under NDA as part of the procurement process The report identified two minor exceptions that were remediated during the audit period, with the auditor confirming the effectiveness of the remediation actions.

Example Response 3

No, a SOC 2 Type 2 report is not currently available for our hosting environment We use a combination of self-hosted infrastructure in a leased datacenter facility and Microsoft Azure services While Microsoft Azure maintains SOC 2 Type 2 compliance (which we can share upon request), our leased datacenter facility has not undergone a SOC 2 audit However, we have implemented comprehensive security controls aligned with SOC 2 principles and NIST 800-53 across our entire infrastructure We are currently in the process of preparing for our first SOC 2 Type 2 audit, which is scheduled to begin in Q3 of this year, with the report expected to be available by Q1 of next year.

Context

Tab
Infrastructure
Category
Datacenter

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron