If You’re Not Doing Business with a Company Who is SOC II Compliant, You’re Already Losing Your Edge

SOC and Customer Value Data – Why it’s Important
When considering a Customer Value Management application or platform, service offering (including consulting services) or other forms of business case development tools or value realization tools, it’s important that any approach you choose has SOC 2 compliance. This detailed third-party evaluation will ensure that the data you maintain about certain key financial metrics, formulas and raw data about how your customer evaluates your product or service is handled and kept secure. Likewise, a Type II certification is essential.  More than just a snapshot, you want the confidence that comes from knowing that the data protections in place have been proven over time. The end-customer data you are using to build business cases is precious. Ensuring it is protected is key to initiating or continuing a relationship on the right foot. Especially if your customer’s auditor comes calling and wants to see how you’ve managed or handled the information or outputs.  If an auditor finds their user’s data is not being properly secured on your end, an audit finding will make its way to their board of directors, and create embarrassment and potentially cause irreparable damage to the relationship.  So before you use any tool to develop a client cost/benefit analysis or business case, whether it’s a software solution, labour-based consulting solution, a home-grown application or a spreadsheet solution, it’s crucial you ensure SOC 2 / Type II compliance is demonstrated. 

The DecisionLink ValueCloud® is uniquely SOC 2 / Type II compliant. We are extremely proud of the strict security policies and procedures we have in place to protect the essential value data that our customers use when marketing, selling or providing customer value.  

But what do all these categories mean and what is the difference between SOC 1 and SOC 2 or Type I and Type II?  Below we describe the differences:

Understanding SOC 1 vs. SOC 2
In general, SOC is a compliance framework that verifies the controls used within an organization. The SOC 1 audit focuses on the safe and secure handling of users’ financial information. It’s important to make sure a company is SOC 1 certified if their product or service affects your financial reporting. It would also be important if you want to have the “right to audit.” If the company has SOC 1 in place, compliance with this kind of request can be more efficient. Any company that is publicly traded should have SOC 1 certification as part of their compliance with the Sarbanes-Oxley Act (SOX). 

SOC 2 compliance is more relevant if a company processes other types of corporate data (e.g., CVM providers). This framework focuses on an organization’s cloud and data center security controls. It is grounded in the AICPA’s Trust Services Criteria:

  • Security that protects systems and data against unauthorized access or confidentiality, integrity, availability, and privacy compromises
  • Availability of systems for use and operations
  • Processing Integrity — is it timely, accurate, and authorized?
  • Confidentiality of information is appropriately protected
  • Privacy of personal information is maintained. It can only be used, retained, disclosed, and disposed of appropriately.

The Difference Between Type 1 and Type 2
The designations of Type I and Type II exist for both SOC 1 and SOC 2.  This characterization is more about the scope of the certification. Type I for SOC 1 is about how the financial controls are designed, while Type II shows how they perform over a period of time. Similarly, for SOC 2, Type I denotes a point-in-time snapshot of the organization’s controls to validate their design. Type II looks at the effectiveness of those controls over a longer period, typically 12 months. 

SOC in CVM – Why it’s Important
When considering a CVM platform, it is important that any solution you choose has SOC 2 compliance. This detailed third-party evaluation will ensure that the data you maintain about the value your products or solutions deliver to your clients is kept secure. Likewise, a Type II certification is essential.  More than just a snapshot, you want the confidence that comes from knowing that the data protections in place have been proven over time. The end-customer data you are using to build business cases is precious. Ensuring it is protected is key to it delivering long-term real-world value for your business and for your customers’ success.

 The DecisionLink ValueCloud® is fully SOC 2 / Type II compliant. We are extremely proud of the strict security policies and procedures we have in place to protect the essential value data that our customers use our platform to collect and preserve.