DOCU-03

Have you undergone a SSAE 18/SOC 2 audit?

Explanation

This question is asking whether your organization has undergone a System and Organization Controls 2 (SOC 2) audit, which is based on the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) framework. A SOC 2 audit is an independent assessment conducted by a certified public accounting firm that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and/or privacy. It's designed to provide assurance to customers and partners that your organization has implemented appropriate security controls. Why it's asked in security assessments: 1. It provides third-party validation of your security practices 2. It demonstrates your commitment to security and compliance 3. It shows you've invested in formal security processes 4. It reduces the need for customers to perform their own detailed assessments The question is important because organizations that handle sensitive data are expected to have formal, validated security controls in place. A SOC 2 audit is one of the most recognized ways to demonstrate this. When answering this question, you should: - Be clear about whether you have completed a SOC 2 audit - Specify which type (Type I or Type II) and which Trust Service Criteria were in scope - Mention when it was completed and by which auditing firm - If you haven't completed one, explain any plans to do so or alternative compliance frameworks you follow

Example Responses

Example Response 1

Yes, our organization has undergone a SOC 2 Type II audit Our most recent audit was completed in March 2023 by Ernst & Young, covering all five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) The audit found no significant exceptions, and we maintain continuous compliance with SOC 2 requirements We can provide the audit report under NDA upon request.

Example Response 2

Yes, we completed our first SOC 2 Type I audit in November 2022 conducted by KPMG This audit covered the Security, Availability, and Confidentiality trust criteria We are currently undergoing our SOC 2 Type II audit, which examines controls over a 12-month period, and expect to receive this certification by December 2023 We can share our current SOC 2 Type I report with prospective customers under NDA.

Example Response 3

No, we have not yet undergone a formal SSAE 18/SOC 2 audit As a growing organization, we have prioritized implementing security controls aligned with SOC 2 requirements and have completed a readiness assessment with a third-party consultant in preparation for a formal audit We have scheduled our first SOC 2 Type I audit to begin in Q3 of this year In the meantime, we follow ISO 27001 principles and can provide documentation of our security controls and practices upon request.

Context

Tab
Organization
Category
Documentation

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron