Conducted by an independent third-party compliance firm, SOC 2 Type 2 audits demonstrate an organization has taken necessary steps to provide a secure and reliable operating environment that meets standards put forth by the AICPA.
By Prakash Mishra, Wyng Co-Founder and CTO
Wyng is excited to announce that it has completed the SOC 2 Type 2 audit confirming our systems, policies and practices meet the criteria established by the AICPA. As the leading provider of zero-party data solutions, Wyng has been fully committed to secure data practices and systems since we first launched. Ensuring that our data is properly stored and managed is core to our zero-party data offerings and the reason we elected to hire an independent, third-party compliance firm to conduct a SOC 2 Type 2 audit.
Why is being SOC 2 Type 2 compliant important?
According to the AIPCA, System and Organization Controls (SOC) audit reports are designed to help organizations that process information on behalf of their customers build trust and confidence in their service delivery and control over information and data.
“These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems,” explains AIPCA on its website.
There are two different types of SOC 2 reports: Type 1 and Type 2. The report we’ve received, the SOC 2 Type 2 report, is based on a higher standard audit that is more rigorous, takes more time, and is more expensive. While the SOC 2 Type 1 report takes only one day’s worth of data collection, Type 2 requires 3 to 12 months’ worth of consistent data collection, along with evidence of full-compliance throughout the auditing period. Also, a Type 1 report confirms that a business understands the necessary security procedures, but the Type 2 report confirms an organization follows necessary security procedures.
Even though it costs more and would take substantially more time, we opted to complete the SOC 2 Type 2 report to demonstrate our commitment to safe and secure systems.
For Wyng, a completed SOC 2 Type 2 audit serves as evidence that we have established a secure and reliable operating environment to deliver services to our enterprise clients, process their data, and protect their privacy. The audit provides an independent oversight of our systems, policies and practices — assuring enterprise clients, partners and vendors that we have implemented internal corporate governance and risk management processes.
It’s worth noting that a service provider may provide documentation proving their third-party data center has completed a SOC 2 Type 2 audit, but that does not mean the service provider itself has undergone the same audit or can verify its own trustworthiness. In our case, we can verify that our systems, practices and policies have been audited and meet SOC 2 Type 2 criteria standards.
Our SOC 2 Type 2 audit confirms we have systems in place to securely and reliably process our client’s data, protect data privacy and minimize our own risks and exposure as a data processor.
SOC 2 Type 2 Audit: The effort and time needed to get to a final report
Overall, our SOC 2 Type 2 audit lasted nearly four months and involved two phases that required a significant time investment on our part. We kicked off the audit with an independent compliance firm at the start of January 2021. During the first phase of the audit, which lasted approximately two months, our team prepared and uploaded the required evidence for data requests made by the firm.
Phase two of the audit included an internal review by the compliance firm auditors and subject matter experts who then drafted the report. After an extensive review process, the final report was delivered on April 5, 2021.
In total Wyng provided 735 different items of evidence in response to auditor requests, including documents, data logs, tickets, reports, etc. We assigned two Wyng employees to oversee the project and work directly with the compliance firm and its auditors. During the first phase of the audit, the SOC 2 Type 2 project team lead invested 40 hours per week to make sure the process went as smoothly as possible.
The SOC 2 Type 2 audit cost us both a major amount of time and money, but being compliant is critical to our business and, we believe, a necessary investment.
Our ongoing commitment to safe and secure data practices
Completing the SOC 2 compliance audit is extremely important to our business practices, but it is only part of our commitment to maintaining safe and secure systems. Wyng conducts annual disaster recovery and business continuity tests to confirm our production systems and data can be restored successfully by following documented procedures. We perform annual risk analysis across six key business functions: Information security, operations, sensitive data, threats and vulnerabilities, vendors and third parties, and fraud and personnel.
Our risk analysis program involves cross-organizational reviews and adheres to a comprehensive Risk Management Plan that tracks open risks, lists responsible parties, and enforces timelines to resolve.
We implement quarterly internal audits of user access privileges across all Wyng platforms, as well as any third-party systems we use. There is also an annual security audit conducted by a security specialist firm to identify any web application or network vulnerabilities — a two-week effort that results in a 60-page report outlining the tests that were executed, the vulnerabilities that were found, and recommendations to remediate. This testing is in addition to our weekly automated vulnerability scans to maintain our web applications and production environments.
Being a zero-party data platform provider means we have centered our business on privacy-first solutions. This focus comes with the added responsibility of ensuring our practices, policies and systems are secure. By completing the SOC 2 Type 2 compliance audit, we are more confident than ever that our customers, partners and vendors can trust we have built our business on secure and reliable operating environments.
Wyng is the world’s leading privacy-first personalization platform. Built on a zero-party data API and privacy by design principles, Wyng makes it easy for marketers to deliver customer experiences that are always welcome, relevant, and compliant. More than 250 brands and enterprises use Wyng to build deep, trusted relationships with their customers. To learn more, visit https://wyng.com.