We're excited to announce that Lumo is officially SOC 2 Type 1 and Type 2 compliant! TL;DR Your data is safe with us, and our security controls have been examined and verified by an independent auditor.
What is SOC 2 compliance?
SOC, which stands for Service and Organization Controls, is a security framework introduced by AICPA. A SOC 2 Audit Report is an audit of a company's controls in place relative to the criteria established by AICPA, conducted by an independent auditor.
What do the auditors look for?
There are several criteria established in the SOC 2 framework, ranging from data protection to employee policies to infrastructure security. Here are examples of some of the criteria auditors look for.
- Sound management: Does the company have an independent board of directors?
- Internal and customer communications: Does the company have procedures to communicate product updates, downtime, etc internally and to customers?
- Access controls: Does the company have policies that ensure that only those with a specific need access customer data?
- Vulnerability scans: Does the company have automated scans of the network for intrusion detection? Is third-party vulnerability testing performed?
- Clearly written policies: Does the company have clear policies on what do to if an employee finds a security bug? Do employees undergo security training periodically?
- ... and many more
For each of the criteria, Lumo worked with our auditor (shout out to our auditors Dansa D'arata Soucia!) to provide evidence that the criteria were met; the auditor then examines the evidence and certifies that the requirement is met. The audit is performed over a period of at least 3 months (the longer the better - Lumo's was conducted over 6 months).
Why did you do it?
Quite simply, it helps build trust with enterprise customers who have robust information security requirements. Also, filling out one-off information security worksheets is no fun, and being SOC 2 certified cuts down on some of the work.
What does this mean for me, a customer?
It means that you can rest easy that your data is safe with us, our infrastructure is secure and constantly monitored, we have policies in place to ensure data is accessed only by those who need to, and we have processes in place to quickly respond to any security incidents that might occur. Rather than send us an extensive security worksheet, our SOC 2 report becomes a starting point for your IT team to certify Lumo as being ready to handle your data.
Why weren't you certified earlier? Does this mean the data wasn't secure?
Your data was always safe with us. All that changed was that we invested the time and resources to document our controls and have them independently verified.
A SOC 2 audit is expensive and time-consuming. Most startups are short on both money and time with competing priorities, so it only made sense to get certified once we reached a certain scale and technology maturity.
When COVID hit, we had some spare bandwidth and decided it would be the best time to get our reporting in order. Turns out it was perfect timing now that travel is beginning to rebound, and it reduces the time we would spend with new customers in going through an information security checklist.
Any tips for other startups looking to get compliant?
Getting SOC 2 compliant generally makes sense only if you're doing a lot of B2B enterprise software sales, and the sales process is getting bogged down by security worksheets (or worse, you're losing sales because you aren't meeting some requirements). It does take a fair amount of effort, but we used Vanta to monitor and automate our compliance reporting, which streamlined a lot of it – we highly recommend using them!
Also, work toward certification only when you know you have the time (a few weeks of work prior to starting the audit, and a couple of hours each week to continue monitoring things, especially during pentesting and hardening your infrastructure) and money (tens of thousands of dollars) to ensure you're set up for success.