SOC 2

Introduction

SOC 2 (Service Organisation Control Type 2) is a cybersecurity framework that assesses how well a service organisation protects client data.

Purpose

Developed by the American Institute of Certified Public Accountants (AICPA), the purpose of SOC 2 is to:

• Ensure that client data is handled securely by third-party service providers

• Build trust between a company and its customers

• Demonstrate a company's maturity in handling customer data

The SOC 2 report

The SOC 2 report evaluates controls against the Trust Services Criteria, focusing on controls in five categories:

The Patchworks SOC 2 report is available upon request.

Security

Information and systems are protected against unauthorised access/disclosure, and damage to the system that could compromise availability, confidentiality, integrity and privacy. Protections include:

• Firewalls

• Intrusion detection

• Multi-factor authentication

Availability

Systems, tools, and processes are in place to ensure systems are available for operational use. These include:

• Performance monitoring

• Disaster recovery

• Incident handling

Confidentiality

Systems, tools, and processes are in place to ensure information is protected and available on a legitimate, need-to-know basis (applies to various types of sensitive information). These include:

• Encryption

• Access controls

• Firewalls

Processing integrity

Resources, tools and processes are in place to ensure system processing is complete, valid, accurate, timely and authorised. These include

• Quality assurance

• Process monitoring

• Adherence to principle

Privacy

Systems, tools, and processes are in place to ensure personal information is collected, used, retained, disclosed and disposed of according to policy (privacy applies only to personal information). These include:

• Access control

• Multi-factor authentication

• Encryption