We've successfully completed our SOC 2 audit
We're very pleased to announce that incident.io is now SOC 2 compliant, having successfully completed our Type I audit. Put simply, this means an external auditor has looked at how the company is operating, and how our software is managed and operated, and confirmed that we meet a set of high security standards.
SOC 2 in a nutshell
SOC 2 is an information security standard, which looks at the controls we have in place for the security, availability and privacy of data. To become compliant we need to meet the SOC 2 standards, which requires us to define how things work with a number policies and procedures, and to have a collection of technical controls in place for our processes and systems.
Automating our compliance
At incident.io, security is an active part of everything we do. Instead of periodic checks on our systems, we're actively monitoring our entire environment on an ongoing basis using Vanta.
Vanta connects in a read-only mode to all of our systems, including our cloud environment, GitHub repositories and MDM solution, and continuously monitors our controls to ensure they're working as expected. This means we can be confident things are always working, and it streamlines the audit process as our auditors can directly access up-to-date evidence themselves.
Take, for example, a control that says all stored data must be encrypted at rest. In a traditional audit approach, we'd manually gather evidence from our cloud provider console (probably taking screen shots 😬) and send them off to an auditor. With Vanta, we have this evidence collected automatically all of the time, and allow our auditors to log in and view it first-hand.
We're going deeper still
What we have today is a Type I report, which asserts that we have everything set up correctly when the audit took place. We'll be following this up with an even stronger Type II audit, which confirms the above, but also looks at whether we're following these good practices consistently over a longer time period (hint: we are!). We'll be picking this up early next year.
If you'd like to chat more about SOC 2, or get a copy of our report, either join our Community Slack workspace, or head to our Security page.
I'm one of the co-founders, and the Chief Product Officer here at incident.io.
See related articles
The post-mortem problem
Post-mortems are one of the most consistently underperforming rituals in software engineering. Most teams do them. Most teams know theirs aren't working. And most teams reach for the same diagnosis: the templates are too long, nobody has time, nobody reads them anyway.
incident.io
Keeping it boring: the incident.io technology stack
This is the story of how incident.io keeps its technology stack intentionally boring, scaling to thousands of customers with a lean platform team by relying on managed GCP services and a small set of well-chosen tools.
Matthew Barrington 
Secure access at the speed of incident response
Blog about combining incident.io's incident context with Apono's dynamic provisioning, the new integration ensures secure, just-in-time access for on-call engineers, thereby speeding up incident response and enhancing security.
Brian HansonSo good, you’ll break things on purpose
Ready for modern incident management? Book a call with one of our experts today.
We’d love to talk to you about
- All-in-one incident management
- Our unmatched speed of deployment
- Why we’re loved by users and easily adopted
- How we work for the whole organization
