At eTurns, we’re not big on bragging. But we do want to share something we’re pretty proud of: We’ve earned the tech world’s version of the Good Housekeeping seal of approval.
In our industry, that means we passed the lengthy and exacting phase one of the Service Organization Control (SOC)2 audit. And we’re anticipating that we’ll fare equally well when the auditors return later this year to conduct phase two.
To put it very simply, the SOC2 audit, conducted by a certified public accounting firm, evaluates the suitability of the design effectiveness of our controls behind a service organization’s cloud solution. Specifically, the audit examined two areas: security and availability.
SOC2 audits aren’t required by any regulatory agency. But as data security and availability become increasingly important, a growing number of companies are asking tech firms they do business with whether they are SOC2 compliant.
In eTurns’s case, some of our larger customers, one of which works extensively with a major government contractor, asked if we had been audited. Now we have.
I’m glad we did it, because passing phase one is a great way to demonstrate to our customers that:
A: We know what we’re doing;
B: We are serious about protecting our customers’ information; and
C: We are serious about keeping the application available 24/7/365.
Here are some examples of how seriously we take these controls.. We have designed our solution, running on Amazon Web Services in Virginia, to provide an “always-on” environment. What this means is our customers will never experience unplanned downtime. Each transaction is instantaneously written to the production drive as well as a “mirrored drive.” If the production drive fails, the “always-on” drive immediately takes over within a fraction of a second.
Beyond this “always-on” architecture, we push backups of all of our customers’ data to a completely separate server farm in Oregon. We push a full backup of all data once per day and then hourly incremental backups during the day to protect against the entire production server group failing in Virginia.
One more example: Not only is all data encrypted in motion, the most sensitive data is encrypted at rest on our drives. Furthermore, all public-facing servers are protected by real-time anti-virus, malware software that simultaneously performs intrusion detection and intrusion prevention. These best-practice security capabilities allow our customers to have great comfort that their private and proprietary business information is secure from both bad actors and competitors.
We’re not perfect, though. Not yet. But we did learn things during the audit that we’ll implement and that will get us closer to perfection. One is that we should separate our development team’s responsibilities from our Managed Service Provider’s. This provider is responsible for 24/7/365 monitoring of the performance of AWS, and if any intrusions are detected they immediately take action or engage the eTurns team to determine the best plan of action.Our Managed Service Provider also now deploys the code for our semi-monthly deployments. So we now keep those functions separate.
Successfully completing this audit sends a message that we are committed to the highest standards of design effectiveness of our controls. We understand the requirements of our customers and the security and controls required to keep data safe and available. But most importantly, being SOC2 compliant communicates that an independent auditing CPA firm has confirmed that eTurns has delivered on effective security and availability controls.
By Rock Rockwell, CEO