Seeq began offering our advanced analytics applications as Software-as-a-Service (SaaS) in 2018. SaaS offers many benefits to end users including higher performance, better supportability, and lower overall costs. However, there can be a perceived risk associated with SaaS offerings because end user data is in the cloud on computing resources managed by a vendor. The “Security, Availability, Processing Integrity, Confidentiality, and Privacy” of customer data largely depends on the controls used to operate both the vendor’s organization and specifically the controls used to operate the SaaS service.
“Security, Availability, Processing Integrity, Confidentiality, and Privacy” are the Trust Service Principles all SaaS providers must achieve and maintain.
The onus is therefore on vendors, including Seeq, to gain and hold the users’ Seeq uses well documented software development and customer support methodologies in addition to these principles to develop our SaaS operations processes. We began this work by creating Master Trust Policies which detail the overarching policies of operating our SaaS Service.To address queries on Seeq’s policies a third-party attestation to the controls Seeq has in place to assure we meet the Trust Service Principles is required by many customers. Fortunately, there is a standard audit framework to provide this attestation, the AICPA SOC 2. In fact, most SaaS customers and SaaS vendors strongly recommended a formal AICPA SOC 2 audit report. Therefore we began preparations for a SOC 2 Type 1 audit in late 2019. We completed the audit on September 20th , 2020, and received a clean report on November 20th, 2020.
SOC 2 Audit
The SOC 2 audit covers five key areas of controls. Controls are policies, procedures, systems and measures that assure we meet the Trust Service Principles. The five areas are:
- Control Environment—The overall tone, embodied by Seeq's awareness of the need for controls and the emphasis given to the appropriate controls through management's actions supported by its policies, procedures, and organizational structure.
- Information and Communications—Seeq’s continual, iterative process of providing, sharing, and obtaining information—including policies and procedures—which is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.
- Risk Assessment—Identifying and assessing relevant risks, which forms a basis for determining how each risk will be managed.
- Monitoring Activities—Evaluations used to ascertain whether each of the five components of internal control, including controls to affect the criteria within each component, is present and functioning.
- Control Activities—Actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
Applying SOC 2 at Seeq
As background for the audit, since the founding of Seeq, the executive team has balanced speed and agility with sound processes, procedures, and systems. This balance enabled us to deliver software with consistent product releases, mature product support, and sound business practices.
But were there improvements in some control areas required to meet the Trust Service Principles? In early 2019 we worked with Tevora, an information security and data protection service provider, to assist and advise Seeq on this question. Tevora performed a SOC 2 readiness assessment report which acted as a blueprint of areas we needed to address prior to the SOC 2 audit.
For example, two areas where we made significant improvements prior to the audit included:
- SaaS Operations. This is the team that is responsible for delivering the SaaS Service. The team, leveraging much of the methodology of our development team, created and improved policies, systems, and processes for the operation of the SaaS Service.
- Risk Management Program. We created a comprehensive risk management program that identified and assessed risks that could cause disruptions.
The preparation effort was initiated prior to the SOC 2 audit and we consider the work and improvements we put in place to be good business practices. We are confident we have the controls in place to deliver our SaaS solutions and meet the Trust Service Principles.
The Seeq audit was SOC 2 Type 1. Type 1 means the audit applies to a specific time of completion, in this case September 20th, 2020, and certifies the policies, procedures, and systems we put in place are active and getting better. Later in 2021, we plan to do a SOC 2 Type 2 audit which will be an attestation that we indeed have incorporated all this work into the everyday operation of Seeq and our SaaS offering.
The SOC report serves as evidence Seeq meets the concerns of IT and risk management organizations, and is available upon request.
If you’re ready to accelerate insights at your operation and simultaneously ensure your data is protected, schedule a demo with one of our advanced analytics experts and see what Seeq looks like in action.