The leading no-code app development platform, Quixy, recently achieved the System and Organization Controls 2, Type 2 (SOC 2 Type 2) Compliance Certification in addition to ISO 27001 certification that it already holds.
As an advanced Business Process Management (BPM) and High-Performance Application Platform-as-a-Service (HpaPaaS) provider, Quixy’s top priority is security, with a strict no-compromise policy adhering to at every step. This article explains how Quixy ensures the security and safety of customer information and what does the newly achieved SOC 2 Type 2 Compliance certification implies.
A SOC report is a verifiable auditing report which is performed by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). SOC 2 report deals with the review of the controls of a service organization over, one or more of the Trust Service Criteria (TSC) including Privacy, Confidentiality, Processing Integrity, Availability, and Security.
There are three types of reports: SOC 1, 2, and 3.
SOC 1 relates to examining controls over financial reporting while the SOC 2 and SOC 3 reports focus on the pre-defined, standardized benchmarks for controls related to security, confidentiality, availability, processing integrity, or privacy of the data. SOC 2 is a restricted use report while SOC 3 is a general use report. SOC 2 & 3 also ensure the sustainability and maintenance of the practices.
The SOC 2 Type 2 Compliance Certification verifies not just the suitability of the design, but also the operating effectiveness of the security controls over an extended period. More definitely, SOC 2 is designed to store customer data on the cloud. This certifies that the company maintains the most stringent controls for protecting and securing customer information.
There are two types of SOC 2 Reports i.e. Type 1 and Type 2.
Type 1 : A point in time audit, during which auditors evaluate and report on the design of controls a company puts into place as of a point in time.
Type 2 : This type is more stringent compared to Type 1 and verifies the effectiveness of the security controls over an extended time. Auditors usually recommend 4 months for the first audit and 6 months for consequent audits. It is important to note that there are no requirements or standards for the audit duration other than a 3 months minimum period.
The audit for SOC 2 Type 2 was conducted by the independent CPA firm, Riskpro, in compliance with the attestation standards set by the American Institute of Certified Public Accountants (AICPA).
SOC 2 compliance is a critical framework for technology & cloud computing companies today to ensure the platform securely manages client data to protect the interests of the organization and the privacy of its clients.
By achieving the SOC 2 Type 2 Compliance Certification, Quixy ensures the protection of information by abiding by the principles of trust on which SOC 2 Type 2 is assessed. The company follows strict security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data.
There are five trust principles on which the SOC 2 certification is assessed. This is based on the systems and processes in place and measures to what extent has the organization complied. The five trust principles are:
This principle ensures that system resources are protected from unauthorized access. It prevents potential system and data misuse, abuse of software, and improper alteration or disclosure of information. To ensure the security, credibility, and availability of the Quixy Platform and customer data, combinations of preventive, protective, and reactive controls are in place.
Availability relates to the accessibility of the system, products, or services that are typically set by both parties. This means agreeing upon where information can be available and accessed from. It involves security-related criteria that affect access to data and information.
At Quixy, data can only be accessed when necessary to facilitate the use of the application by the customer after specific authorization has been provided. Besides, stringent authentication, including the use of multifactor verification, only serves to limit access to approved staff. Personnel access is withdrawn as soon as it is no longer required.
The processing integrity principle addresses whether or not the service achieves its purpose of delivering the right data at the right place at the right time. This requires that the data processing must be accurate, timely, complete, valid, and authorized. Quixy acts as a data processor and addresses all privacy commitments like restricted access to authorized personnel, no disclose of customer data, and complying with client requirements.
This principle ensures the confidentiality of data. Data is considered secure if its access and disclosure are restricted to specified people or teams. Encryption is an example of protecting confidentiality during transmission. Network and application firewalls, together with meticulous access controls can safeguard the processing and the storing of information on systems.
When stored within the Quixy Cloud, customers monitor their data. Under no circumstance does the platform disclose customer data to law enforcement authorities unless as directed by a customer or where required by law.
Privacy addresses a system’s collection, use, retention, disclosure, and disposal of personal information in compliance with an organization’s privacy notice and with the criteria outlined in the AICPA’s generally accepted privacy principles (GAPP). At Quixy, data privacy is everything. Clients determine which data they submit as customer data to the Quixy Platform.
Security is a common customer concern regarding all SaaS and cloud-based services and Quixy is no exception. To assure its clients, the company passed a rigorous and extensive audit whose results testify that Quixy is committed to its clients and their security. All certifications and compliance reports are available for customers upon request under NDA.
As an ideal platform that solves all security and privacy-related issues, Quixy not only transforms businesses, it also ensures that its clients’ data and information stay secure. For more information about Quixy and to learn how Quixy is enabling digital transformation for its customers, get started with a free trial to see how Quixy can help you innovate and revolutionize your organization.