AgileVision Receives SOC 2 Type II report

Read why SOC 2 compliance is essential for data protection and business safety. See how AgileVision uses SOC2 to enhance software development for companies, ensuring secure, reliable, and trustworthy SaaS development.

  • date icon

    Thursday, Dec 12, 2024

AgileVision Receives SOC 2 Type II report

We are happy to announce, AgileVision.io received a SOC 2 Type II report as a result of our compliance journey. Becoming SOC 2 compliant in 2024 was one of our annual goals and it’s always rewarding feeling to check those off.

There are different perspectives on SOC 2 and similar certifications. For us, it’s a possibility to get an independent review of our processes, ensure we follow industry best practices, identify possible issues and improve our organization. Additionally, due to nature of SOC 2 compliance, for our existing and potential customers which are SOC 2 compliant or planning to be, it’s easier to work with us if we are compliant too. In other words, it also improves our business development capabilities.

What is SOC 2?

System and Organization Controls 2 also known as SOC2 is a certification standard with the main goal of evaluating processes and controls the organization has in place in order to address various aspects of business like security, availability, processing integrity, confidentiality, and privacy.

Important things to know about SOC 2:

  • Trust criteria to be evaluated are selected by the organization. Security is the only required one, while, depending on business type and needs, other aspects like availability, process integrity, confidentiality, and privacy can be additionally specified.
  • Audit is performed by an independent organization.
  • Auditors use evidence provided by the organization to ensure corresponding controls are in place and are being enforced.
  • There are two main SOC 2 report types - Type I and Type II. The first one certifies the organization has all the required processes and controls in place (point-in-time). The Type II report certifies the organization continuously adheres to processes and controls over the given period of time (audit window).

To sum it up, by being SOC 2 compliant organization proves they walk the talk and operate exactly as they promise.

Improvements and discoveries along the journey

There would be not really much value in this blog post, if we would not sure actual results of becoming SOC 2 compliant. First of all, we got a realt-time dashboard which shows the current status of compliance.

Once there is an issue, we are getting notified about it along with required remediation timeline to adhere to our SLAs.

For example, identified security vulnerabilities are collected from various systems and grouped by severity levels:

Usually, such vulnerabilities appear for existing systems when information about new CVEs appear in corresponding vulnerability scanning tools, or right after deployment of new software to our infrastructure.

One of the things we have not fully realized before is the number of known security issues present in popular open-source packages. Now once such package is installed, we evaluate security risks and then decide on next steps. If there is no feasible way of resolving such security issues, we ditch the thing and look for alternative.

We also have a detailed list of software vendors along important security-related information on the compliance platform.

Along the way we learnt, AgileVision.io was doing many things that are part of SOC 2 compliance, since those always seemed like a proper things to do. For example, inventory of cloud assets, or review of access controls. By passing the SOC 2 audit and using a compliance platform, we ensured those “good things” happen on a regular basis and there is evidence for it.

The importance of a trusted auditor

Based on what you learnt about SOC 2, it’s crucial to have a strong auditor whom can be trusted. On our SOC 2 journey, we wanted to be sure we work with a reliable partner which would give us a fair assessment. We don’t have a luxury of treating this like a simple badge (it would be too expensive badge) and it also wouldn’t fit our vision.

We also wanted to work with a partner who could take their time and actually understand our business. We are a software development company and back in 2022 had to put our SOC 2 process on pause, since our first auditor failed to understand there is a huge difference between software development and SaaS companies. Our hour-long(billable) meetings with different team members were about explaining them how we operate and how it’s different from Software as a Service.

So this time we started right away from finding a proper partner who actually cares about their customers an value their time. That way we found three potential candidates. Another search criteria for us was a separation of duties - technology platform for compliance and the auditing team. We didn’t want to go all-in-one route for several reasons. This left us with two candidates equally great, though the one we identified as top-notch - InsightAssurance. Disclaimer: we are not being sponsored in any way to write this, it’s just a personal experience we are glad to share.

Awesome stuff about them(the devil is in the details):

  • On the first call with them there was no “marketing BS”, we explained our situation and their adapted the discovery call to our needs
  • Communication with them was fantastic. During the process, there were several “account handovers” where their point of contact had to change. There was not a single occasion we had to explain them something again - their internal processes are good enough to keep our record and context of communication.
  • Their auditors are joy to work with!
  • All evidence upload happens through our compliance platform. No emails or Slack messages to share the evidence.

We realized there could be some issues since it’s our first audit, and InsightAssurance brought up several items which for sure needed to be improved. We got our report with exceptions, and that makes it more valueble for us. Our company invested in this audit and we got valuable feedback along with recommendations of needed improvements.

The beauty of the compliance platform

Based on our previous negative experience, we came to a conclusion the vital part of compliance success is a compliance platform. For a small organization like ours, maintaining all controls manually and providing the evidence would be a disaster.

Compliance platform provides following benefits:

  • Pre-made set of automated and manual controls crafted for specific standards (SOC 2, ISO, HIPAA, etc)
  • Automated evidence collection from different systems used by the organization.
  • Centralized documentation repository for the organization and the auditor, meaning all the data, including documentation is stored in one place and can be accessed. For example, we use Confluence for all the documentation in our organization, and our compliance platform automatically extracts SOC 2 - related documentation from it. This way, we can use our “normal” tool for the documentation, and auditor can access it. No need to manually export and share it with auditors.

As I mentioned before, in the past we had to put our preparation for SOC 2 compliance on pause. Once we started using a compliance platform, I realized that attempt to become SOC 2 compliant without a proper tool would be futile anyway.

We started our shopping process for a compliance platform. The selection process included 3 vendors. One vendor naturally got filtered out because for them to respond to a meeting request took so much time we’ve signed an agreement with their competitor.

For our compliance platform we selected Vanta right on our discovery call. As opposite to their competitor, on the discovery call, Vanta’s AE ditched the slide deck right after we asked them and explain aspects that were important to us (Hi Grainne, thank you!).

Cool things about Vanta:

  • We compared our software vendors and future-to-be software vendors(yes, we plan purchasing of SaaS and tools well in advance) lists and their integrations list covered 99% of our needs.
  • Once we had a hiccup with AWS integration, they immediately helped us with a relevant advice. It’s so valuable in modern world of generic AI-bot responses.
  • The dashboard and notification mechanisms are well-designed and ensure we never miss an SLA. Hard to believe other platforms somewhat behind on such simple things, but I saw it with my own eyes.

Disclaimer: we are not being sponsored in any way to write this, BUT I have received a pair of branded socks from Vanta after getting our SOC 2 compliance. I love nice socks, but most likely it didn’t affect my judgement. At least these has not been delivered yet, so my judgement for sure is not fully affected.

Final words

SOC 2 is a continuous process and it’s a beginning of our compliance journey. It’s a valuable certification for an organization, especially if it’s taken seriously by the company leadership. I’m really grateful to everyone involved in our SOC 2 certification journey, especially to every AgileVision.io team member.

AgileVision.io blog

More blog posts

AgileVision Receives SOC 2 Type II report
date icon

Thursday, Dec 12, 2024

AgileVision Receives SOC 2 Type II report

We are happy to announce, AgileVision.io received a SOC 2 Type II report as a result of our compliance journey. Becoming...

Read More
The Top Barriers to IoT Success and How to Address Them
date icon

Wednesday, Dec 11, 2024

The Top Barriers to IoT Success and How to Address Them

IoT (Internet of Things) has disrupted industries with its advanced connectivity and data-driven insights. However, wit...

Read More
Serverless computing and EDoS attacks
date icon

Tuesday, Nov 19, 2024

Serverless computing and EDoS attacks

Hello everyone. I'm pretty sure while reading the title you had only one question in mind "What's the heck EDoS attack?...

Read More
cta-image

Ready to get started?

Let's meet and identify where we can add value. Whether it’s custom software, cloud migration, or API integration, our discovery process provides clarity on how we can best support your business and ensure our solutions align with your goals

Book a discovery call