Metaimpact Completes SOC 2 Type 2 Certification

Written by Kolby Tallentire

-October 6, 2021

Security

I’ve always been proud of Metaimpact’s security program and the dedication of our team and organization to implement industry best practices and standards to protect our customers and their data. That’s why I’m excited to announce that Metaimpact recently received SOC 2 Type 2 certification. What’s more is that we had zero exceptions—meaning we met all requirements without exception.

At Metaimpact, we are building a network-based architecture where multiple parties can go to a co-owned space and collaborate and share information across organizational boundaries. That means metrics, assets, documents, videos, analytics, and desired outcomes are all shareable between multiple parties.

This not only requires solid security and privacy controls, but also means that Metaimpact has a higher bar to clear than many other SaaS companies.

From day one our team has addressed security and privacy in both the software we build and the processes our organization implements.

What is SOC 2?

SOC 2 is a security controls framework that specifies requirements an organization must meet to be compliant. These controls cover a wide range of topics from organization-wide security policies to software development lifecycle (SDLC) practices to disaster recovery procedures.

In order for an organization to be SOC 2 “certified”, it must demonstrate to a third-party auditing firm that every control of the security framework is met satisfactorily. It can take months or even years for startups to be in a position to start and complete the SOC 2 audit process given the vast number of requirements to be compliant.

What is the difference between Type 1 and Type 2?

The two different types of SOC 2 attestation are simple to understand. Type 1 is a point-in-time audit. An organization works with the auditing firm to demonstrate that they have all of the required controls (policies, procedures, and practices) in place and that they are following them at that point in time.

Once an organization has received the Type 1 attestation, then an annual Type 2 audit is conducted. Type 2 is not point-in-time but rather an audit over an extended period of time, like three or six months. This demonstrates that an organization in fact follows all of the controls on an ongoing basis.

Why SOC 2 and not another framework?

SOC 2 is the industry standard for SaaS companies operating in the United States. However, as part of an organization’s security program, it should be one of many certifications. ISO 27001 is a set of international standards very similar to SOC2 but generally covers European requirements. There is a significant overlap between these two frameworks.

HITRUST is another certification that is more aligned with the healthcare industry.

It isn’t a matter of choosing one framework over another, but about the order in which certifications are acquired by a company. MetaCX intends to add both ISO 27001 and HITRUST to our arsenal of certifications over the next 12 months.

How is SOC2 different from privacy regulations like GDPR?

SOC 2, ISO 27001, and HITRUST are compliance frameworks that result in certification, or attestation being the more appropriate term.

The General Data Privacy Regulations (GDPR) are the requirements that dictate how companies protect EU citizens’ personal data. It requires being able to provide an individual with all of the data a company has about them, communicating how personal data can be shared across organizations, and giving an individual insight into how their data is stored, processed, and handled.

In the United States, the California Senate passed the California Consumer Privacy Act (CCPA) which is very similar to the GDPR requirements. It is expected to be the foundation of broader consumer protection laws instituted by the federal government.

To summarize, privacy regulations are government regulations whereas SOC 2 is an industry governed standard. There is no government-sponsored certification for GDPR or CCPA. Companies are expected to abide by the regulations or face hefty fines for not doing so.

MetaCX has policies and procedures in place to address GDPR and CCPA requirements.

Related Blog Articles
Indianapolis
Building Value for the State of Indiana in the Metaverse®

Last week, Metaimpact gathered with a variety of businesses, government organizations, and NGOs that aspire to drive progress in the state of Indiana. The purpose of the event? To discuss new opportunities that have emerged from the metaverse.

Kolby Tallentire

April 21, 2022

Data Stories
Driving Action Through Data Storytelling

In order to use data more effectively, a different approach is needed—software that enables data storytelling.

Kolby Tallentire

May 25, 2023

Drive Strategic Direction
How to Create a Compelling Data Narrative

As data storytelling becomes a more integral part of business strategy, new opportunities will surface, valuable internal conversations will occur, and departments will become more aligned.

Kolby Tallentire

March 27, 2023

Monitoring Metrics
Monitoring the Metrics that Matter

Quantifying the impact of strategic initiatives is a critical aspect of success in today's digital age. It’s a task that is becoming increasingly complex, yet more vital than ever before.

Kolby Tallentire

July 12, 2023

Metaverse
The Metaverse® is a Transformational Opportunity

Much of the world associates the metaverse with avatars and immersive VR experiences, which is key for consumers and some business applications, but this new computing paradigm offers a more foundational and transformative opportunity for the business world.

Scott McCorkle

April 25, 2022

See Metaimpact in Action

Request a demo to learn how Metaimpact provides the path into the metaverse.