Blog

BlueTally is Now SOC 2 Compliant

As our customers at BlueTally trust us with important data, security has always been a top priority for our team. As part of our commitment to security, we're proud to announce that we've just obtained our SOC 2 Type I attestation report.

We are currently in audit for our SOC 2 Type II attestation, scheduled for completion in Q1 2024.

Understanding SOC 2 Compliance

SOC stands for 'System and Organization Controls', a regulatory framework established by the American Institute of Certified Public Accountants (AICPA).

Within SOC 2, the AICPA outlines five Trust Services Criteria (TSC) to be potentially addressed by service organizations: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the fundamental criterion that all SOC 2 reports include, while organizations may choose additional criteria based on their specific business needs.

Organizations are required to implement controls tailored to ensuring the chosen TSCs are consistently met. For example, to adhere to the Security criterion, an organization might enforce multi-factor authentication for all access to sensitive systems.

A SOC 2 report is compiled following a thorough evaluation by an independent CPA firm. This evaluation focuses on two primary aspects: whether the controls are suitably designed to meet the TSCs and if they are operating effectively in the organization's daily procedures.

Distinguishing Between Type I and Type II SOC 2 Reports

In the realm of SOC 2 compliance, organizations may encounter both Type I and Type II reports.

Type I SOC 2 reports serve as a snapshot, offering a point-in-time assessment. When a CPA firm undertakes a Type I report, it meticulously evaluates the service organization's controls at a specific moment, ensuring they are both well-designed and effectively implemented.

Conversely, Type II SOC 2 reports provide a more extensive overview, covering a minimum duration of six months. In this rigorous evaluation, a CPA firm not only assesses the design and implementation of controls but also verifies their operational effectiveness throughout the entire audit period.

Consider an example where an organization mandates that all changes to products and infrastructure be reviewed by a second employee, distinct from the initiator. In preparing a Type II report, the CPA firm will examine a broad selection of changes made during the audit timeframe to confirm that each was reviewed in alignment with the stated control."

Pursuing SOC 2 Attestation: Our Journey and Rationale

At BlueTally, our decision to pursue SOC 2 attestation was driven by two primary motivations. Firstly, we aimed to adhere to a robust framework that would hold us accountable and ensure the utmost safety of our customers' data. Secondly, we sought a standardized method to transparently convey our security practices to our customers.

To this end, we decided to partner with Vanta to establish and maintain effective controls and engaged Prescient Assurance to perform the comprehensive audit.

Our journey began with achieving our Type I report in December 2023. We are currently in audit for our SOC 2 Type II report, scheduled for completion in Q1 2024. As part of our ongoing dedication to maintaining rigorous security standards, we intend to update our Type II report annually.

Dive deeper into our security initiatives and learn more about how we protect our customers' data by visiting our Vanta Trust Center.