We're very pleased to announce that incident.io is now SOC 2 compliant, having successfully completed our Type I audit. Put simply, this means an external auditor has looked at how the company is operating, and how our software is managed and operated, and confirmed that we meet a set of high security standards.
SOC 2 is an information security standard, which looks at the controls we have in place for the security, availability and privacy of data. To become compliant we need to meet the SOC 2 standards, which requires us to define how things work with a number policies and procedures, and to have a collection of technical controls in place for our processes and systems.
At incident.io, security is an active part of everything we do. Instead of periodic checks on our systems, we're actively monitoring our entire environment on an ongoing basis using Vanta.
Vanta connects in a read-only mode to all of our systems, including our cloud environment, GitHub repositories and MDM solution, and continuously monitors our controls to ensure they're working as expected. This means we can be confident things are always working, and it streamlines the audit process as our auditors can directly access up-to-date evidence themselves.
Take, for example, a control that says all stored data must be encrypted at rest. In a traditional audit approach, we'd manually gather evidence from our cloud provider console (probably taking screen shots 😬) and send them off to an auditor. With Vanta, we have this evidence collected automatically all of the time, and allow our auditors to log in and view it first-hand.
What we have today is a Type I report, which asserts that we have everything set up correctly when the audit took place. We'll be following this up with an even stronger Type II audit, which confirms the above, but also looks at whether we're following these good practices consistently over a longer time period (hint: we are!). We'll be picking this up early next year.