Service Organization Control (SOC) for Service Organizations

Is PSIGEN Software, Inc. Certified?

Yes, PSIGEN Software, Inc. is a SOC 2 Type 2 certified company. We engage an independent, third-party auditor each year to assess our operations. This CPA firm applies the SOC 2 Type 2 format when evaluating our company's operations.

What is Service Organization Control (SOC)?

Service Organization Control (SOC) reports were created by the American Institute of Certified Public Accountants (AICPA). SOC for Service Organizations reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. In short, this allows end-users to evaluate the risk involved in outsourcing services to a provider.

Why is SOC important?

SOC 2 reports allow end-users to understand whether their service providers are able to adequately store data, ensure they are following best practices, and operations follow current standards. For PSIGEN, this process helps to ensure we continue to hold ourselves accountable to operational best practices, identify gaps for remediation, and consistently grow our focus on security and privacy.

What's in a SOC 2 report?

The SOC 2 report contains descriptions of a service provider's infrastructure, software, people, and procedures the service organization has in place to protect and safeguard an end-user's data. Service organizations are evaluated across five (5) Trust Service Principles:

  • Security  Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability  Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity  System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality  Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy  Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

SOC 2 Type 1 versus SOC 2 Type 2 reports

There are different levels of SOC 2 reports. Services organizations may choose either Type 1 or Type 2:

  • Type 1 SOC 2 report – a layout of procedures and controls that the service provider has established as of a certain point in time.
  • Type 2 SOC 2 report – includes all the information in Type 1, but also supplies evidence as to how effective those procedures and controls were over a specified period. The audit period in a Type 2 report is typically no less than six months—enough time for a comprehensive evaluation.

On this page: