Airbase’s commitment to security: The importance of SOC compliance.

Data protection is essential for everyone. As the threat of data breaches intensifies, companies must be confident that the most up-to-date, secure practices protect their data. This includes not only the security controls implemented internally, but also the security and confidentiality of data residing on third-party systems and applications. 

The risks are evident and rising. Malware attacks rose by an astonishing 358% in the past year. The stakes are also increasing: The average cost of a data breach is $8.46 Million in the U.S., according to a report from IBM. Importantly, the report found that it takes an average of 280 days to identify a breach. 

At the core of our security protocols is Service Organization Control (SOC). Airbase has achieved the following important SOC attestations:

• Our SOC 1 report represents an audit of our internal controls over financial reporting. Airbase is SOC 1 Type II compliant. 
• Our SOC 2 report represents an audit of our controls related to the Trust Criteria of Security, Availability and Confidentiality.  Airbase is SOC 2 Type II compliant. 

The standards for SOC 1 and SOC 2 are established by the Auditing Standards Board of the American Institute of CPAs (AICPA). Each audit is conducted by CPAs, who issue an attestation report at the end of the audit.

SOC 1.

SOC 1 reports concern a company’s internal controls over financial reporting and validate the accuracy of the financial reporting and regulatory requirements.. There are two types of SOC 1 reports.

• SOC 1 Type I looks at a moment in time. 
• For SOC 1 Type II, third-party auditors attest to the effectiveness of the controls over the period of time. Airbase is SOC 1 Type II compliant.

SOC 2.

The SOC 2 auditing process centers around five trust principles:

• Security
• Confidentiality
• Privacy 
• Availability
• Processing integrity

Businesses choose the primary principles for their audit; however, the largest part of the audit is the Common Criteria section, which examines information security from all angles. 

SOC 2 reports verify that a company has completed this process and are differentiated as follows:

• SOC 2 Type I represents an attestation of controls at a specific moment in time. 

• SOC 2 Type II is an attestation of controls over a period of time (a minimum of six months). 

In other words, a SOC 2 Type I report examines the design and implementation of a business’s controls and policies. Because a SOC 2 Type II report examines the effectiveness of those controls over time, it assesses whether or not they function properly.

The standardized process represented by SOC 2 compliance verifies that security policies and practices have been thoroughly audited. The SOC attestation report process is unique in that it is an evaluation framework specifically tailored to each business, instead of an outline of rigid rules. An audit emphasizes sustainable security policies, and compliance is therefore an ongoing process instead of a destination achieved. That’s important in the rapidly changing world of cyber security. 

You can learn more about Airbase’s security practices, and Airbase will share our SOC 2 Type II and SOC 1 Type II reports on request, following completion of a non-disclosure agreement. 

The audit process.