Are Your Software Providers SOC 2 Compliant? They Should Be.

While many providers mention that their data center (for example, AWS or Azure) is compliant, that doesn’t mean that the platform itself has been put through the paces of a SOC 2 audit.

With cybersecurity threats on the rise, it is imperative that firms proactively improve internal and external security protocols. Keeping confidential information and sensitive client data secure means extending such protocols to each software vendor. It’s important to check the data security protocols of the software you’re evaluating before you make any decisions that can have a long-lasting impact on your firm.

What is SOC 2?

When evaluating technology providers, you’ve likely come across the organizations’ security standards. Some of the popular security protocols for software vendors include encryption measures, two-factor authentication and PCI compliance (for those that process payments). SOC 2 isn’t as commonplace, but it should be carefully considered in any software selection process. SOC 2 is a compliance standard established by the American Institute of Certified Public Accountants (AICPA) to make sure businesses don’t take on undue risk when they hire a service provider. More simply, it’s proof that the vendor you’re hiring will be able to offer a reliable service and, more importantly, has extensive safeguards in place to protect your firm’s data.

In order to prove an organization is SOC 2 compliant, they must be audited to see if their internal control policies and practices meet the AICPA’s five trust service principles. These include:

  1. Security: information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and affect the entity’s ability to meet its objectives (example: two-factor authentication)
  2. Availability: information and systems are available for operation and user to meet the entity’s objectives (example: performance monitoring)
  3. Processing Integrity: system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives (example: quality assurance)
  4. Confidentiality: information designated as confidential is protected to meet the entity’s objectives (example: network and application firewalls)
  5. Privacy: personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives (example: access controls)

SOC 2 and Vetting Potential Software Providers

Every software provider you work with is essentially an extension of your firm. Each stores and manages sensitive information that, if it falls into the wrong hands, could be catastrophic for your clients and your business. As with hiring a new member of your firm, software providers should go through an extensive selection process that includes security “resumes.”

Brad Thies, founder of BARR Advisory, a security and compliance consulting firm, sums up the importance of auditing potential providers for SOC 2 compliance:

“It’s the same reason why banks want audited financial statements before they are willing to loan a significant amount of money. [By working with them] you’re trusting that this other company is meeting basic operating standards and an audited report gives you that objective and independent assurance with regard to cybersecurity.”

Trust and transparency are essential when selecting new software providers. Make sure to do your due diligence and ask potential vendors to see a SOC 2 report. It’s important to note that while many providers mention that their data center (for example, AWS or Azure) is compliant, that doesn’t mean that the platform itself has been put through the paces of a SOC 2 audit.

CARET Legal’s Advanced Security Standards

At CARET Legal, we want to ensure that your data (and your clients’ data) is always protected. We understand that we’re stewards not only of your data, but of your reputation, and financial success, which is why we constantly work to achieve the highest levels of security. Our experienced security team takes a proactive approach to detect, investigate and stop threats before they can impact your firm’s operations.

CARET Legal is the first cloud-based, end-to-end legal practice management platform to achieve SOC 2 compliance, delivering the highest levels of security, confidentiality and privacy to our clients. Our infrastructure resides at AWS facilities in the United States which have achieved compliance with an extensive list of global quality and security standards, including PCI DSS. You can learn more about CARET Legal’s state-of-the-art security protocols and procedures here.

Stay Connected
Stay up to date with CARET Legal