I’ve always been proud of Metaimpact’s security program and the dedication of our team and organization to implement industry best practices and standards to protect our customers and their data. That’s why I’m excited to announce that Metaimpact recently received SOC 2 Type 2 certification. What’s more is that we had zero exceptions—meaning we met all requirements without exception.
At Metaimpact, we are building a network-based architecture where multiple parties can go to a co-owned space and collaborate and share information across organizational boundaries. That means metrics, assets, documents, videos, analytics, and desired outcomes are all shareable between multiple parties.
This not only requires solid security and privacy controls, but also means that Metaimpact has a higher bar to clear than many other SaaS companies.
From day one our team has addressed security and privacy in both the software we build and the processes our organization implements.
What is SOC 2?
SOC 2 is a security controls framework that specifies requirements an organization must meet to be compliant. These controls cover a wide range of topics from organization-wide security policies to software development lifecycle (SDLC) practices to disaster recovery procedures.
In order for an organization to be SOC 2 “certified”, it must demonstrate to a third-party auditing firm that every control of the security framework is met satisfactorily. It can take months or even years for startups to be in a position to start and complete the SOC 2 audit process given the vast number of requirements to be compliant.
What is the difference between Type 1 and Type 2?
The two different types of SOC 2 attestation are simple to understand. Type 1 is a point-in-time audit. An organization works with the auditing firm to demonstrate that they have all of the required controls (policies, procedures, and practices) in place and that they are following them at that point in time.
Once an organization has received the Type 1 attestation, then an annual Type 2 audit is conducted. Type 2 is not point-in-time but rather an audit over an extended period of time, like three or six months. This demonstrates that an organization in fact follows all of the controls on an ongoing basis.
Why SOC 2 and not another framework?
SOC 2 is the industry standard for SaaS companies operating in the United States. However, as part of an organization’s security program, it should be one of many certifications. ISO 27001 is a set of international standards very similar to SOC2 but generally covers European requirements. There is a significant overlap between these two frameworks.
HITRUST is another certification that is more aligned with the healthcare industry.
It isn’t a matter of choosing one framework over another, but about the order in which certifications are acquired by a company. MetaCX intends to add both ISO 27001 and HITRUST to our arsenal of certifications over the next 12 months.
How is SOC2 different from privacy regulations like GDPR?
SOC 2, ISO 27001, and HITRUST are compliance frameworks that result in certification, or attestation being the more appropriate term.
The General Data Privacy Regulations (GDPR) are the requirements that dictate how companies protect EU citizens’ personal data. It requires being able to provide an individual with all of the data a company has about them, communicating how personal data can be shared across organizations, and giving an individual insight into how their data is stored, processed, and handled.
In the United States, the California Senate passed the California Consumer Privacy Act (CCPA) which is very similar to the GDPR requirements. It is expected to be the foundation of broader consumer protection laws instituted by the federal government.
To summarize, privacy regulations are government regulations whereas SOC 2 is an industry governed standard. There is no government-sponsored certification for GDPR or CCPA. Companies are expected to abide by the regulations or face hefty fines for not doing so.
MetaCX has policies and procedures in place to address GDPR and CCPA requirements.