WarpBuild's SOC 2 Certification

26 September 202419 minute read

SOC 2 Type II certification is a significant milestone for WarpBuild, demonstrating our commitment to security and trust. It is especially important for us as we continue to onboard new customers of all sizes, many requiring SOC 2 certification.

What is SOC 2 Certification?

SOC 2 certification is a widely recognized standard for evaluating the security and controls of a company's information systems. It is a voluntary process that requires a company to undergo an audit by an independent third-party auditor. The audit evaluates the company's controls over security, availability, processing integrity, confidentiality, and privacy of customer data.

Who certifies this?

The American Institute of Certified Public Accountants (AICPA) is the organization that oversees the SOC 2 certification process. The AICPA has developed the SOC 2 standard, which is used by auditors to evaluate the security and controls of a company's information systems.

Types of SOC 2 certifications

There are two types of SOC 2 certifications:

  • SOC 2 Type I: Focuses on the design of controls at a specific point in time. This is a one-time audit that evaluates the company's controls over a specific period of time. This is typically used for organizations that are just starting to implement security controls and want to demonstrate that they have a basic level of security in place.
  • SOC 2 Type II: Evaluates the operating effectiveness of controls over a period (typically 3-12 months). This is a more comprehensive audit that evaluates the company's controls over a longer period of time, typically 3 months to one year. This is typically used for organizations that have been in operation for a while and want to demonstrate that they have a more comprehensive level of security in place.

Security questionnaire as a stop-gap solution

Many companies use a security questionnaire to assess the security of a company's information systems. This is a more informal process than SOC 2 certification but could unblock the procurement process.

Some companies can send a security questionnaire from their compliance tool. I've found that a standard questionnaire like this is a good option for minimizing effort:

  1. Whistic can help centralize security questionnaires and posture reports. IMO, it is overkill for a stop-gap solution.
  2. CAIQ Lite v4 is a fantastic option in a spreadsheet format.

Who is this for?

Most B2B companies require SOC 2 certification as a part of the procurement process.

Financial institutions, healthcare providers, and other organizations that are subject to regulatory requirements usually have additional compliance requirements such as HIPAA and PCI DSS, apart from SOC 2 certification.

Do you really, really need SOC 2 certification?

The founder of a SOC 2 audit company advised me to not do SOC 2 certification until we had a few customers who refuse to sign up without the certification.

If you are targeting SMB customers exclusively or your customers are not regulated, evaluate if you can skip SOC 2 certification.

Evaluate if a standard security questionnaire will suffice instead. This can be a good option as a short-term solution while you are in the process of getting SOC 2 certification.

General thoughts

  1. Once you decide SOC 2 is mandatory, start immediately
    • Start the SOC 2 certification process as early as possible. It gets more complex as the company grows - both in terms of the number of users and the number of services.
    • The $ cost and the effort required, both increase as the company grows.
  2. SOC 2 certification is not going to get you new customers.
    • It will only help resolve some blockers during the procurement process.
  3. SOC 2 Type I certification is useful if you desperately need to onboard a customer. It's a waste of time and money in most cases.

Evaluating compliance automation tools

I spoke to a few compliance automation companies. Here are the dimensions that matter:

  1. Product: The tool should be able to automate the evidence collection along with the flexibility to adapt to your internal processes. Most tools will cite 80-95% automation.
    • There is always a manual effort involved in the certification process, so good support is a must. IMO, support >> product automation.
    • Integration with AWS, Azure, and GCP is a must, along with Github, and other common tools. Existence of these common integrations is table stakes. However, the quality of the integrations is not obvious before sign-up.
    • I was not very impressed with the quality of integrations with Sprinto but they made up for that with a good support team.
  2. Cost: Most companies are flexible on their pricing, especially if you get into multi--year contracts. A good hack is to start the process at the end of the quarter so that you can get a discount.
    • Generally, the cost order is: Drata ~ Oneleet > Secureframe > Vanta > Sprinto
  3. Documentation: Guides and documentation on how to use the tool are useful in saving time.
  4. Auditor Network: A company that has a network of auditors that they already work with makes the transfer of evidence from tool to auditor seamless. This generally is not an issue.
    • Sprinto gets an extra point because they have auditors who can support a wider budget range than the others.
  5. Support and Responsiveness: There are a LOT of back and forths during the setup, evidence collection, and audit processes. This is a big deal. It could add weeks to the process if the support folks are not responsive.
    • Sprinto was upfront about having very hands-on support. This was a very good thing in hindsight.
    • Support was on Slack Connect and ready to hop on a call quickly for unblocking issues.
    • Evaluating this is only possible after signing up. I spoke to users of other products and generally found that most companies have mediocre support, with the exception of Oneleet.

Here's my evaluation matrix:

Criterion // CompanySecureframeVantaDrataSprintoOneleet
Cost⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐
Product and Integrations⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐
Documentation⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐
Auditor Network⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐
Support and Responsiveness⭐⭐⭐⭐⭐

❓ = Not evaluated

Other considerations

  1. The auditor reputation supposedly matters, for certain customers. Pick an auditor that has a good reputation.
  2. Some companies charge extra for enabling a Trust Center.
  3. Oneleet is rather unique:
    • They are much smaller than the other companies and the founders are very involved. This leads to generally better support.
    • They claim to actually help your team implement a good security program and improve the security posture of the company. This should be obvious table stakes for any compliance automation company. That it is a differentiator for Oneleet speaks to the general state of the industry.

Our choice: Sprinto and Prescient

I chose Sprinto because of their hands on support and they were the cheapest option.

Prescient were our auditors. They have a good reputation from what I could find from other founders.

Process

This section is specific to our experience with Sprinto. For context, we are a small team of 5 people. Our infrastructure is multi-cloud, with AWS hosting most of our infra and some spread across GCP, Azure, and Mac Stadium. This could change in the future.

Audit Readiness: Evidence Collection

We are an engineering focused team and we have a lot of the best practices in place. That helped us quite a bit.

Here are the interesting things about the certification process that stood out to me:

  1. It requires at least 2 people to be involved in the process, as a part of some checks.
  2. A pen-test is recommended but not mandatory for the SOC 2 Type II certification. This comes at an additional cost for most providers.
  3. We did not have a tool in place for MDM (Mobile Device Management) before the audit and needed to get that sorted.
  4. It is important for the production environments and customer data to be kept secure. We had most of these in place, so it was relatively easy.
    • Tag all infra with the environment details.
    • Having fewer environments makes this process much simpler.
    • We do not have a requirement to replicate data across environments. This made our data posture much simpler.
    • Ensure all prod DBs and data are in private VPCs and not publicly accessible.
  5. We set up Cloudflare for WAF. The paid plan comes with default protection rules which are quite valuable. This was a good option given we are multi-cloud. The DDoS protection is very helpful, and free.
  6. Setting up an Intrusion Detection System (IDS) was tricky - there is a non-trivial cost associated with this. We decided to use the cloud specific options because of ease of setup. We will revisit this later.
  7. This was a forcing function for formalizing the incident response process and exercises for backup-restore.
  8. Github Team plan is the minimum required. We were on the Enterprise plan with most of the checks already in place.

Sprinto: Product Review ⭐⭐

The Sprinto product is quite basic, but it works well when coupled with responsive support. A lot of actions are much easier to do in the backend by support than in the UI. Here are some observations:

  1. The UI is dated, and laggy. There are lots of modals, drawers, and popups. Contents do not update after an action and need page refreshes. This was very frustrating.
  2. The integrations with AWS, GCP, Azure, and Cloudflare are basic. The refresh intervals are slow (~once a day) and can be slow to update.
  3. Github integration was pretty poor. Repo rules set at the org level were not reflected.
    • Bulk updates are not possible.
    • Automated commits by a bot for GitOps were being flagged as commits without review. Our current process is that support bulk updates it in the backend once a week.
  4. The Trust Center design could be better, but it comes at no additional cost.
  5. The documentation is passable.

The fact that we has a Slack Connect with support and could offload a bunch of tasks to them was a huge plus.

Cost

You can expect to spend ~$8-10k for the first year, split half and half between Sprinto and the auditor.

Some of the product and auditor combinations go up to $15k. You're being ripped off if you spend more than that as a company of less than 50 people.

Getting a SOC 2 Type I certification costs ~$2-4k more.

Timeline

DateEventNotes
March 21-28Calls with various compliance automation companies.Sales teams across the board are really responsive.
March 29Signed up with Sprinto-
April 02Got access to Sprinto dashboard-
April 02Call with Onboarding ManagerMy onboarding manager was fantastic - super knowledgeable and responsive.
April 03 to May 13Getting the compliance checklists in-placeThis could have been ~2 weeks faster, but we were occupied with product releases.
May 13 to Aug 13Evidence collection periodFound multiple rough edges with the product integrations that were annoying, but support helped resolve things quickly.
Aug 20Auditors got access to Sprinto evidenceThis was entirely avoidable.
Aug 20-28Auditor evidence review: TestingInitial review and questions. The timeline given was 4-6 weeks after the testing period.
Aug 28 - Sep 18Auditor evidence review: FinalizationFollowing up every 2-3 days and lots more back and forth with auditors about the evidence.
Sep 19 - Sep 23Draft SOC 2 Type II report reviewI reviewed it thoroughly and corrected errors in the draft report.
Sep 24WarpBuild is SOC 2 Type II CertifiedThe final report was e-signed and issued.
Sep 25WarpBuild Trust Center SetupThe trust center was set up and the SOC 2 Type II report was published. SOC 2 logo is updated on the website.

Tip

  1. Connect the Sprinto POCs to the audit team. It helps getting people aligned.
  2. 1-2 weeks before the end of the evidence collection window, send a reminder email to Sprinto POCs and the audit team. Auditors could be busy with other engagements, so the heads up will help.

Final thoughts

The overall process took ~6months. In the best case, it could have been ~4.5 months, practically. We had to spend ~7 days of engineering time to get the compliance checklists in place.

It was a conscious effort to ensure that the team is not burdened with the compliance process and I went through every policy document in detail to ensure that.

We took this opportunity to ensure we had lightweight processes for best practices that we didn't previously have.

WarpBuild is now SOC 2 Type II certified, with unqualified opinion attestation (that's a good thing).


Note

WarpBuild provides Github actions runner infrastructure for optimized CI with fast disk IO and improved caching. You can run this in our cloud or your own cloud account with our Bring Your Own Cloud (BYOC) option, and get 10x cheaper runners while improving performance. Get started today.


Previous post

Cost comparison: GitHub Actions Runner Controller (ARC) and WarpBuild

18 September 2024
Actions Runner ControllerARCBYOCGitHub
Next post

Self-host GitHub Actions runners with Actions Runner Controller (ARC) on AWS

6 November 2024
Actions Runner ControllerARCAWSGitHub