Information Security

Overview

SOCi, Inc. is dedicated to ensuring the security of its systems and data through a comprehensive approach that integrates policies, procedures, and technology. Our commitment to security is demonstrated through the implementation of extensive security measures, known as the Common Criteria Controls, aligned with the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria for Security, Availability, Processing Integrity, and Confidentiality.

Protecting Information Assets

SOCi’s management has established robust information security policies and procedures to safeguard sensitive data. These measures provide a thorough framework for protecting the confidentiality, integrity, and availability of all company resources and information assets. This commitment not only benefits SOCi but also extends to our employees and clients. We recognize the importance of a secure computing environment and are dedicated to maintaining effective security controls across all aspects of the organization.

Roles & Responsibilities

• Chief Technology Officer (CTO): Oversees all technological aspects, including security initiatives.
  
• Vice President of Information Security and Compliance: Leads all security-related matters within the company.
  
• Security & Compliance Analyst: Focuses on security and compliance issues.
  
• Principal Security Engineer: Manages security development processes and platform protection.
  
• Security DevOps Specialist: Monitors security incidents and oversees operations.
  
• Information Security & Privacy Management Committee (ISPMC): Responsible for the development, implementation, and evaluation of security policies.

Organizational Controls

• Security Awareness Education (SAE): Mandatory for all SOCi employees and contractors.
  
• Advanced Secure Coding Training: Required for all engineers to ensure best practices in security.
  
• Adherence to Industry Best Practices: Including change management and application development standards.

Technical Controls

• Cloud Security: SOCi relies on Amazon Web Services (AWS) and Google Cloud Platform (GCP), which offer secure, tested, and monitored infrastructure.
  
• Continuous Monitoring: All systems and infrastructure undergo constant monitoring.
  
• Vulnerability Assessments: Regular assessments performed by CREST-certified security firms.
  
• Endpoint Protection: Antivirus and malware prevention on all workstations.
  
• Data Backups: Critical systems are regularly backed up, with a comprehensive disaster recovery strategy in place.
  
• Network Protection: We implement next-generation firewalls and intrusion detection/prevention systems (IDS/IPS).
  
• Access Management: Strong identity and access controls ensure only authorized individuals can access sensitive data.
  
• Security Monitoring: Our security information and event management system (SIEM) provides best-in-class monitoring.

Data Encryption Methods

SOCi uses robust encryption to protect sensitive data in transit and at rest. Our encryption strategies include:

• Whole Disk Encryption and Partition/File Encryption for sensitive data storage.
  
• Encryption of Disk Drives, Personal Storage Media, and Backups.
  
• Database Encryption to secure stored data.
  
• All transmissions of sensitive data are encrypted using HTTPS or SSH protocols.
  
• SOCi employs accepted encryption algorithms such as AES, 3DES, and TLS 1.2+ to secure data.

Compliance & Security Standards

SOCi, Inc. has established an Information Security and Privacy Management System (ISPMS) to protect the confidentiality, integrity, and availability of all entrusted data.

• Third-Party Audits: We conduct annual independent assessments of both our technical and organizational controls, including SOC 2 Type II and ISO 27001:2013 certifications.
  
• Alignment with Industry Standards: While we are not required to adhere to certain regulations like HIPAA, SOCi’s security practices align with HIPAA’s controls as evidenced in our SOC 2 report. We can also add a HIPAA Business Associate Agreement (BAA) upon request.

SOCi’s rigorous security protocols are not only aligned with SOC 2 standards but are also adaptable to meet industry-specific requirements as needed.

To request a copy of our SOC 2 report or ISO 27001 certification, please contact your Account Executive or Customer Success Manager. For further security inquiries, reach out to us at [email protected].

Ongoing Security Commitment

SOCi takes security seriously, maintaining the highest standards of data protection. In addition to our SOC 2 report, we proudly hold a SOC 3 report that demonstrates our compliance with stringent security protocols and industry best practices. SOC 3 Report

SOCi also runs a Security Bug Bounty Program for our systems and applications. If you have identified a bug or wish to participate, please contact us at [email protected].