We’re excited to share that we have completed the SOC2 Type 1 audit- a significant milestone in our commitment to security.

This article will cover what SOC2 is, our journey, and our plans for the future.

What’s SOC2?

Service Organization Control 2 (SOC2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). 

It’s designed to ensure that a service organization’s non-financial controls related to security, availability, processing integrity, confidentiality, and privacy are robust and effective.

Why become SOC2 compliant

We’re pursuing SOC2 compliance at Neon for three key reasons:

1. Trust
2. Continuous improvements
3. Partnerships & market differentiation

First and foremost, it’s about trust. In the digital age, data security is crucial. Our customers and partners entrust us with their valuable personal and business data; we take that responsibility very seriously. Achieving SOC2 compliance is a way for us to demonstrate our commitment to data security and privacy. It’s an internationally recognized standard, so it sends a clear message to our users that we prioritize their data security.

Second, achieving SOC2 compliance involves a thorough review of our systems and controls, which helps us identify areas where we can improve. It’s a rigorous process that pushes us to enhance our security measures, ultimately benefiting our users.

Finally, we recently launched a partners program, and SOC2 compliance shows potential customers and partners that we’re committed to maintaining high standards of security and privacy, which can help us stand out from the crowd.

Our journey to SOC2

Achieving SOC2 compliance is a long and rigorous process. It took us around four months of careful planning, preparation, and continuous efforts. Here’s a detailed breakdown of the process:

1. Gap Analysis

This step is a deep dive into our existing security controls to see how they stack against SOC2 standards. We put our policies, procedures, and controls under a microscope, looking for any deficiencies that could potentially undermine data security, availability, processing integrity, confidentiality, and privacy. 

2. Policy & Procedure Development

Next, we had to align our policies and procedures with SOC2’s requirements. This meant revamping our internal regulations to match SOC2’s five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.

We set up comprehensive incident management procedures, implemented disaster recovery for our systems, and ensured strict access controls, among other measures.

3. Control implementation 

This intensive process involved integrating each new measure into Neon’s daily operations. Whether it was a technical control like strengthening our data encryption or an administrative control like enforcing a strict encryption policy, we ensured every control met the SOC2 standards and often exceeded them, taking Neon’s security to the next level.

4. Training & education 

Implementing new controls is only part of the story – the real success comes from ensuring every Neon team member understands and follows these guidelines. Our team was given comprehensive training on each control, detailing the ‘what’ and ‘how’ and the ‘why’ behind each measure. 

5. The big test – the audit phase

The final step in the SOC2 compliance journey was the audit. We brought in an independent external auditor to check out our system of controls. The auditor reviewed our policies, procedures, and controls, scrutinizing each aspect against the AICPA’s Trust Services Criteria. It was a detailed process that really tested our commitment to security. Once completed, the auditor confirmed Neon complies with the AICPA’s standards, an essential milestone in our security journey.

Addressing the issue of background checks

Background checks are often seen as an essential part of the SOC2 process as a form of due diligence. However, these checks can be intrusive and, in certain circumstances, contravene local laws.

At Neon, we have team members all over the globe, and in some jurisdictions, background checks are simply not allowed. This put us in a unique situation, prompting us to deviate slightly from the conventional SOC2 approach.

Our solution? Instead of traditional background checks, we’ve implemented a comprehensive reference check policy. This policy allows us to gather the necessary information about potential hires in a manner that is both respectful and legally compliant. It’s an innovative approach that balances our need for diligence with our commitment to respect each jurisdiction’s specific regulations and our core principles of respecting individual privacy and maintaining legal compliance.

What’s next? 

Now that we’ve achieved SOC2 Type 1 compliance, we’re committed to continuously fine-tuning our security measures and informing our users about our progress.

Our next steps will involve maintaining our current level of compliance and working towards SOC2 Type 2 compliance. While Type 1 compliance concerns our systems and processes at a specific time, Type 2 compliance involves demonstrating that we can maintain those high standards over time, typically six months to a year.

In addition, we’ll continue to innovate and improve our security measures based on the latest best practices and user feedback. We’re dedicated to ensuring that your data security remains our top priority, and we won’t stop improving.