How Courier Became SOC 2 Type 2 Compliant

The consumerization of SaaS has resulted in a massive handling of PII (personally identifiable information) over recent years. The security and protection of said PII has therefore become central to the foundation of a quality SaaS product, and Courier is no different. In a world where there seems to be a new data breach every time we look, users continuously demand transparency into how their data will be handled. SaaS engineering and product teams who care about how secure their apps are are just as eager to fulfill this demand. Today, in a big step toward this transparency, we are excited to announce that Courier is now fully SOC 2 Type 2 compliant.

But what does this mean? Software security and compliance is constantly evolving and is as complicated a topic as it is important. So we wanted to take this opportunity to talk a bit about what it means to be SOC 2 Type 2 compliant, why it is important that we are, and what our journey looked like on our way here.

Why Courier invested in SOC 2 compliance

Courier’s mission is to make software-to-human communication delightful, currently through providing excellent notification infrastructure. Product notifications can include a wide range of content. A rideshare app may need to include a user’s location information to provide the best experience, while a banking app may send notifications with personal financial information. Because of the sensitive nature of many notifications, it is important to us, and our customers, that Courier provides safety and security for sensitive data and peace of mind for our end users.

Also worth keeping in mind is that SaaS companies tend to use other SaaS tools to build their own products, which must be disclosed to customers using sub-processors agreements. One requirement of SOC2 compliance is ensuring that all of your sub-processors are also SOC2 compliant so this is a necessary step for providing software to many other SaaS tools.

SOC compliance is one way Courier, like other SaaS companies, can reassure customers and end users that their data remains and will continue to be as protected as possible. Having a Systems and Organizations Control (SOC) report shows that we have the important security controls in place, are using best practices to prevent, detect, and remediate any breaches, and will be transparent with our customers in how we use their information.

Why all SaaS companies should be SOC 2 Type 2 compliant

To understand the steps to take to be SOC 2 Type 2 compliant, we should better understand the myriad of SOC reports a company can produce and why SOC 2 Type 2 is the best option of them all.

A company that is SOC 1 compliant reports on security controls around financial information and objectives. SOC 2 compliance steps beyond finance and focuses on reporting on security controls concerning the five trust services principles (TSP) including security, availability, processing integrity, confidentiality, and privacy. Recently, there has been a trend towards producing and sharing SOC 3 reports in place of the more rigorous SOC 2 report. A SOC 3 report is typically generated during a Type II Audit and is intended to be a publicly available report that describes the internal controls a company has in place for SOC compliance at a high-level. They generally do not include enough information to be considered a substitute for a full Type II report, but can provide a third-party with general information on a company’s policies without divulging any sensitive information about internal controls.

Because of the detail and depth provided, SOC 2 compliance is the best option for most companies. Of SOC 2 reports there are two types: Type 1 and Type 2. Type 1 reports are quicker and easier to generate because they cover security controls and their functions on a single given day. Their purpose is to show that the controls exist, but do not provide any context on whether the controls are used in practice. Type 2 reports, on the other hand, consist of a one-year audit period requiring evidence of effective policy and control enforcement. . While these reports require more time and resources, they also provide a better view of the effectiveness of a company’s ability to detect and repair security vulnerabilities.

Courier wanted to be able to not only state our intent, but also prove to interested parties that we are following through, which a SOC 2 Type 2 report would allow us to do.

What did Courier’s journey to compliance look like?

Over a year ago, when Courier started acquiring customers in industries with sensitive data like financial services and healthcare, it became important to show our customers that their data (and their customers’ data) would be in good hands. To do so, like many early stage tech companies, we went for SOC 2 Type 1 compliance first.

In order to become Type I compliant, we needed to develop a set of policies and controls for our business practices covering a range of activities from financial reporting and hiring, to how we ship code and store data. We used a software service called Vanta, a Courier customer, to develop these policies and ensure we had covered the entire set of requirements. The process after this was fairly simple - we engaged with an auditor to go over our policies and ensure we were meeting all of the criteria to be Type I compliant. After they completed their brief audit, they generated a SOC 2 Type I report for us. We completed this in November 2020.

Since Type II compliance requires going through a one-year audit period, we had to wait a full year before we could begin the process. In December 2021, we began an engagement with Geels-Norton, an advisory service that is a qualified auditor for SOC 2. In order to complete their audit, they requested and analyzed evidence from Courier that we had effectively enforced all of the necessary policies and controls for SOC 2. Some examples of evidence included proof that we enforced hard drive encryption on all devices, enforced multi-factor authentication on all engineering systems, and regularly conducted meetings with our board. Once we satisfactorily completed the audit, they issued a Type II report for Courier.

Conclusion

The journey to ensure that we are doing our best to protect our customer’s data does not end with becoming Type II compliant. In addition to continuously evolving our policies to follow best practices in the industry and baking them into our company’s culture as we scale, we are also working towards other compliance standards such as HIPAA so that we can support healthcare organizations with their customer communication infrastructure and ISO 27001. As a provider of core infrastructure, it is extremely important to our customers that we remain on the cutting edge of security practices and we remain committed to earning their trust.