After a year of work by our SRE team, Flood is excited to announce we have reached SOC2 Type I compliance, bringing audited Security and Privacy controls to our product and business operations.
What is SOC2 compliance?
SOC stands for Service and Organization Controls. It defines a set of controls covering five trust service principles: Security, Privacy, Availability, Processing Integrity, and Confidentiality.
In Type I compliance, an independent Auditor verifies that we have implemented the controls as said we would. In Type II compliance, the Auditor checks the “operational effectiveness” of the controls, which is to say they verify we continue to comply at various times throughout the year and grants Type II compliance after we have maintained compliance for one year.
For many security-minded customers, SOC2 is the minimum requirement of a vendor before doing business with them.
The 5 Trust Service Principles:
SOC2 is organization-specific, meaning each organization defines its controls to comply with each trust principle. The principles are very detailed, running into dozens of sub-categories. We don’t go into them here, but I’ll give you an overview of what is covered.
Generally speaking, we can say that the five principles cover Security and Privacy, because Security, in the standard Security triad, covers Confidentiality, Integrity, and Availability.
Security refers to the protection against unauthorized access. Implemented through access controls, monitoring, and organizational changes to ensure everyone in the organization understands the security requirements, and they are understood and implemented from senior management down through all teams.
Security principles include controls for correcting for deviation from changes that may occur from time to time, how we track and document changes, and how we detect changes, including conducting vulnerability scans.
The Availability principle relates to ensuring we maintain, monitor, and evaluate our services’ availability in line with our SLAs. Availability is squarely in our wheelhouse as a core principle of performance engineering, and an activity we have been doing in the general day to operations of Flood for the past seven years.
The availability principle includes measuring and forecasting usage, ensuring our systems scale with demand, performing backups, and ensuring we can restore from backups with minimal disruption and running critical services in multiple availability zones for redundancy.
The Confidentiality principle relates to how we identify confidential information, how we handle it, access it, store it, and the processes in place to destroy it when no longer needed.
At Flood, we’ve implemented strict controls to enforce encrypted transfer and storage of all customer data, bound by access controls to restrict further access to only those who need to access it.
The processing integrity principle addresses whether our systems produce the correct results when processing information, including what data is needed, and whether the result is accurate, and ensuring the results are only available to the right parties.
Whether you’re running load tests on the cloud, or your premises or private data center using Flood Agent, the Flood team and the rest of our organization have taken a considered and careful action to ensure that any data send us is protected and only used as needed while you’re a customer.