We're committed to keeping K12 and higher-ed PII safe.
So much so that we're putting our money where our mouth is.
Getting a SOC 2 Compliance audit isn't cheap or easy. Being able to give our clients and users peace of mind in our ability to keep your PII safe is worth it to us.
We're working with Drata to 24/7 track our compliance and security status. We're building a single picture of our controls, people, devices, applications, vendors.
We've got no doubt we'll be audit-ready in no time. In January of 2022 we'll engage a professional auditor to kick off the SOC 2 compliance audit.
If at any point you want to see our progress towards SOC 2 compliance, you can check out this dynamically generated page that Drata provides for us.
What is SOC 2?
SOC 2 stands for “Service Organization Control 2”. It’s a set of compliance priorities and criteria created by the American Institute of CPAs (AICPA). It ensures that sensitive data is being stored in the cloud in a secure way.
There are different "types" of SOC 2. Type 1 is focused on taking a "picture" of a company's security controls - a snapshot in time. In a Type 1 audit, an auditor checks over the evidence of your security practices once. Type 2 is more like a story or a movie of an organizations privacy measures. The auditor is making sure that we're maintaining our security controls and practices.
Why SOC 2?
There are many certifications Edlink could get. There's the various IMS Global Certifications, iKeepSafe (FERPA, COPA) and more. SOC 2 is an accepted security standard that is not specific to edtech. It defines criteria for managing customer data based on five “trust service principles." They are security, availability, processing integrity, confidentiality and privacy.
SOC 2 measures qualities and controls that are important in great tech companies. The work we do (or in most cases, have already done) for our SOC 2 audit will map to other security certifications.
Another reason this is exciting for us: an unbiased, external security expert will vet us. Many common certifications in edtech are marketing grabs. This is not. SOC 2 is a true demonstrations of technical security and excellence. In short, it's worth the money.
The SOC 2 audit process is not for the feint of heart. Our small team, with the help of Drata, is actually well positioned to handle it.
Having our entire team under one roof makes it easy to get everyone onboard (and everyone must be on board). We are all digital natives so we're already using personal security best practices. Some of us have worked on compliance projects before. We have unanimous buy-in to make this a priority both as an organizational milestone.
Doing this while we're a small organization is important to us. It will inform our security practices and procedures as we continue to grow. Ensuring that as we continue to scale we have the infrastructure to keep the very PII we processes safe.