SOC2 Type I completion
Acupay is excited to share that we received our SOC 2 report in April 2023. This accomplishment demonstrates Acupay’s commitment to security and privacy in our systems, technology, and operations and is another step in our ongoing effort to protect our customers’ information. It was an effort requiring significant time, planning, resources, and investment from the entire company and spanned all of Acupay’s business lines and technology.
What is a SOC certification?
SOC stands for “Systems and Organizations Controls”. There are 3 types of SOC certifications: SOC 1, SOC 2, and SOC 3. SOC 1 focuses on financial controls, while SOC 2 focuses on organizational security and operations. SOC 3 certifications focus on a portion of the SOC 2, and are used when the breadth of a full SOC 2 report is not required. SOC 3 certifications tend to be issued as a letter rather than a complete report, as is the case with the others.
SOC certifications are only issued by outside independent auditors, who are authorized and trained for such audits. When a company needs to demonstrate maturity in security and operations to its customers, partners, and others, it engages an authorized SOC auditor, who uses the criteria of the SOC 2 framework to assess and report on the company. The extent to which the company complies with the five trust principles, based on the systems and processes in place, is then assessed. In the end, the SOC auditor produces a report detailing the findings.
Trust Services and Common Criteria
SOC 2 consists of Trust Service Principles with both common and specific criteria. The five Trust Service Principles are:
Security
Availability
Processing Integrity
Confidentiality
Privacy
The Common Criteria cross all the principles and are used to assess the Trust Services. They include:
Organization
Communication
Risk
Monitoring
Control Activities
The intersection of these principles and criteria creates a thorough picture of the company.
Outside of the Trust Service Principles, the specific criteria used for assessment are:
Operations
Changes
Mitigations
Privacy
Processing Integrity
Logical and Physical Access
While not covered by the Common Criteria, the controls are still rigorous and complete.
How does this set Acupay apart?
The broad scope of the criteria makes the SOC 2 report one of the most important and respected third-party assessments available. It provides credibility, assists with compliance, accelerates sales cycles, and drives long-term business success by installing strong long-term internal processes. It is useful to executives, sales teams, business partners, prospective customers, regulators, compliance, and external auditors.
Acupay completed the audit with the highest level of compliance, having no exceptions to the controls noted on any of the criteria. This demonstrates our commitment to trust services, and to the security and privacy of the data managed on behalf of our users, customers, and partners.
More information about SOC 2
You can find more information about the SOC 2 on the Association of International Certified Professional Accountants’ (AICPA) website.