We are excited to announce that Dispatch has achieved SOC 2 compliance, having successfully completed our Type I audit. 

What is SOC 2 and why does it matter?

SOC 2 is the industry standard for security controls. SOC 2 spares organizations from having to individually inspect every vendor's security measures – saving time, money, and reducing the risk of mistakes.

What is SOC 2?

It stands for “System and Organizational Controls”.

It originated in the 1970s when auditors needed a way to assess how companies handled financial controls. Over time, it expanded to include information security.

In 2010, the American Institute of Certified Public Accountants (AICPA) introduced SOC 2 as part of the Service Organization Controls (SOC) framework, focusing on internal controls for things like security, confidentiality, and data availability. 

Secureframe has a great article that explains its history in more detail.

Why does it matter?

Without a standard like SOC 2, organizations would have to spend resources to independently evaluate the security of each prospective vendor or partner organization before connecting their data to external systems. 

It would be incredibly costly, ad hoc, and error-prone.

SOC 2 sets rigorous requirements on how companies handle customer data and information. 

As a vendor, being SOC 2 compliant provides a guarantee to your prospective customers that your company has established and implemented organizational practices in place to safeguard customer data.

It likewise helps prospective customers of these organizations evaluate their vendors’ security standards on a consistent basis.

How is SOC 2 attestation conferred?

Phase 1: Preparation

We partnered with Secureframe who helped us prepare for and review our internal controls including policies, procedures, and infrastructure regarding:

• data security, 
• firewall configurations, 
• change management, 
• logical access, 
• backup management, 
• business continuity and disaster recovery, 
• security incident response, 
• and other critical areas of our business.

Working with Secureframe removed a lot of manual work in checking that our system was meeting SOC 2 requirements. At Dispatch, privacy and security has been a priority since we first started building the product - using a system with automated integrations testing allowed us to have very robust coverage without too much additional engineering effort.

Phase 2: Audit

Once all of our system and organizational controls were in place, we engaged the independent auditor Johanson Group to run the audit. 

They reviewed our security controls and processes and found that we meet the standards for SOC 2 certification.

SOC 2 Type II

There are two types of SOC 2 certification. You can think of them as “snapshot” and “ongoing”.

Type I: Snapshot

The SOC 2 Type I audit focuses on the design and implementation of controls. To achieve SOC 2 Type I certification, auditors confirm that your systems and controls meet the SOC 2 standards at a point in time. 

Type II: Ongoing compliance

The SOC 2 Type II audit is an ongoing re-affirmation of the snapshot from Type I. It confirms that the organization continuously maintains its systems and controls over time. It also includes an assessment of the operating effectiveness of those controls.

Learnings from the process

We went into SOC 2 thinking it was going to be a huge engineering lift and were prepared to dedicate months of resources to the certification. It surprised us to discover how much of the requirements were HR and admin process related (onboarding, offboarding, RBAC).

If you’re a company that already has best security practices baked into your product, using an automated compliance platform like Secureframe lets you focus on making changes rather than tediously auditing every piece of your infrastructure to figure out what to change. 

What’s next?

We’re happy to have achieved Type I certification and are currently being monitored for our Type II ongoing compliance.

To this end, we’re thrilled to have Secureframe as a partner for our continuous compliance strategy. Their suite of integrations with our infrastructure providers makes it easy to identify and remediate old vulnerabilities, and alert us of new ones immediately.

We are committed to providing our customers with a secure and reliable platform. Achieving SOC 2 compliance is an important step in demonstrating our ongoing commitment to security and privacy. 

More reading

Read more about our information security policy and privacy policy.

Want a copy of our SOC 2 report? Email us at security@dispatch.do or join our Community Slack workspace.