Yes, PSIGEN Software, Inc. is a SOC 2 Type 2 certified company. We engage an independent, third-party auditor each year to assess our operations. This CPA firm applies the SOC 2 Type 2 format when evaluating our company's operations.
What is Service Organization Control (SOC)?
Service Organization Control (SOC) reports were created by the American Institute of Certified Public Accountants (AICPA). SOC for Service Organizations reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. In short, this allows end-users to evaluate the risk involved in outsourcing services to a provider.
Why is SOC important?
SOC 2 reports allow end-users to understand whether their service providers are able to adequately store data, ensure they are following best practices, and operations follow current standards. For PSIGEN, this process helps to ensure we continue to hold ourselves accountable to operational best practices, identify gaps for remediation, and consistently grow our focus on security and privacy.
What's in a SOC 2 report?
The SOC 2 report contains descriptions of a service provider's infrastructure, software, people, and procedures the service organization has in place to protect and safeguard an end-user's data. Service organizations are evaluated across five (5) Trust Service Principles:
Security–Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability–Information and systems are available for operation and use to meet the entity’s objectives.
Processing integrity–System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality–Information designated as confidential is protected to meet the entity’s objectives.
Privacy–Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
SOC 2 Type 1 versus SOC 2 Type 2 reports
There are different levels of SOC 2 reports. Services organizations may choose either Type 1 or Type 2:
Type 1SOC 2 report – a layout of procedures and controls that the service provider has establishedas of a certain point in time.
Type 2SOC 2 report – includes all the information in Type 1, but also supplies evidence as to how effective those procedures and controls were over a specified period. The audit period in a Type 2 report is typicallyno less than six months—enough time for a comprehensive evaluation.