Virtru Security Insights

SOC 2 Compliance: Virtru Achieves Certification

Virtru SOC 2 Compliance

Virtru is pleased to announce our SOC 2 compliance certification. This new third-party certification gives our customers and partners independent validation that Virtru continuously follows security best practices for protecting data in the cloud.

Many organizations’ most valuable asset is their data. Yet once that data leaves their domain, the responsibility of keeping it safe falls on service providers like cloud vendors and SaaS companies. This puts the data owner in the uncomfortable position of being accountable for safeguarding data it no longer directly controls.

The Service Organization Control (SOC 2) examination framework and reporting platform, developed by the American Institute of CPAs (AICPA), addresses this problem by assessing the ability of service providers’ to secure cloud data. SOC 2 defines criteria mutually agreed upon by the security and privacy communities for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

The SOC 2 trust service principles give companies a way to understand their vendors’ specific controls and how they are tested, to validate that the vendor can protect data as it moves between the company domain and the cloud. A compliant vendor has to prove its ability to write and follow information security policies and procedures while undergoing a thorough technical examination. These processes are rigorous and resource-intensive, so only vendors with sophisticated and mature security programs in place successfully achieve SOC 2 compliance.

The Virtru SOC 2 Compliance Process

When we started this process at Virtru, we focused on the three trust service principles most relevant to our products and mission: security, confidentiality, and availability. In July 2017, we completed our SOC 2 Type 1 assessment, which established a baseline by evaluating our existing security measures and practices at that point in time. We designed and deployed repeatable processes at the conclusion of the Type 1 examination, and ultimately achieved Type 2 compliance by properly implementing the controls and following enhanced processes throughout the next 6 months.

SOC 2 Is A Journey, Not A Destination

The SOC 2 compliance journey involved the entire Virtru organization. As is true for any company, protecting data isn’t the job of the security team alone: everyone has to pull together for defenses to work. Our Vice President of IT and Infrastructure, oversaw our SOC compliance effort from start to finish, with key support from our Security Compliance Engineer. But at the end of the day, everyone at Virtru had a role to play.

“Successfully completing our SOC2 evaluation validated all of the hard work and thoughtfulness that the team here at Virtru uses to ensure the security and safety of our customers’ data.”

— Zach Nelson, Vice President of Engineering

For instance, some criteria we had to fulfill focused on hiring practices and employee onboarding, so our HR team was highly involved. Processes around developing and deploying code securely are incredibly important, so our engineering and devops teams played critical roles. Ongoing security education is another key focus, so the entire Virtru team supported SOC 2 compliance by regularly completing security training modules. Virtru has always been laser focused on security, and but going through the SOC 2 process heightened awareness throughout our organization and deepened our commitment to privacy for everybody.

As we move forward, an independent CPA firm qualified to perform SOC 2 assessments will periodically check that we are still successfully meeting the criteria of our chosen principles. At the end of each examination, the assessors issue a report on their findings and Virtru management attests to its accuracy.

Added Value for Our Customers

SOC 2 Compliance provides customers and prospects independent, third party validation that we are actively using best security practices and can be trusted to safeguard their data in the cloud. Our SOC 2 audit reports can be made available to all customers to review against their internal security practices. Existing customers can use this information to build trust with their own customers and auditors. For prospective customers, SOC 2 compliance makes it easy for decision-makers to make the case that a partnership with Virtru is a good fit, leading to more rapid deployments and faster time-to-value.

Alignment with Our Mission

The SOC 2 principles of confidentiality, security, and availability align with our commitment to data-centric security. Virtru is focused on more than protecting data shared in emails and files: we want to protect our users’ privacy.

Virtru believes that everyone should have control of their data. In pursuit of that vision, we strongly support compliance standards like SOC 2, which provide independent, third-party validation that appropriate security controls are in place. Email encryption matters to businesses, but privacy matters to everyone. Virtru’s SOC 2 compliance milestone aligns to our commitment to security best practices as we build a world where businesses and consumers can retain full control of their data.