Maintaining data accurately and securely is our number one priority. Whether that’s your personal data, or the data you’ve collected in your forms, we focus on security so you can trust that your data is being managed properly.
To help ensure we’re doing everything we can in these areas, we’ve completed a SOC 2 Type 1 audit of our security and operational practices.
During a SOC 2 audit such as ours, independent third-party experts review our processes related to major trust principles. These include privacy, security, availability and processing integrity. The auditors then confirm organizations like ours have the necessary policies in place to support these principles.
We supplied our independent auditors with a detailed examination of both our platform and each step in its ongoing development. This included our procedures related to customer management, form building and entry management, as well as abuse prevention, customer support and product development. We also detailed our release management approach, bug fix procedures and feature development as well as our data management practices involving account data, payment data and organization data.
It was a thorough audit to say the least.
“While Microsoft ensures SOC 2 compliance around the servers we use to deliver Cognito Forms, we wanted to take an extra step and perform our own audit on our own processes,” explains Cognito Forms CEO Jamie Thomas. “We want to ensure we have the necessary policies in place to both safeguard the data our users entrust to us and operate our company in a responsible manner.”
Cognito Forms CEO Jamie Thomas
We want to ensure we have the necessary policies in place to both safeguard the data our users entrust to us and operate our company in a responsible manner.
As part of this process, we provided our auditors a holistic view of how our organization operates. This included reporting on our infrastructure, software, team members and organizational structure.
We explained our processes around employee management, including recruiting, hiring and communication. We then also appraised our internal operations for risk assessment and monitoring.
Ultimately, the independent auditors determined that we “meet the service commitments and system requirements relevant to the security, availability, processing integrity and privacy trust services categories, the security requirements of the Health Insurance Portability and Accountability Act (HIPAA) administration regulations and the International Organization for Standardization 27001 Information Security Management Standards.”
Having completed this initial step of the process, the same auditors will review the effectiveness of our controls over the next six months. If the auditors are satisfied with our adherence to the controls we presented during the Type 1 audit, they’ll certify us as having successfully completed a SOC 2 Type 2 audit.
This ongoing auditing process compliments the measures we already have in place, which include available HIPAA compliance, compliance with the US Privacy Shield, CCPA compliance and GDPR compliance. We also host our platform on Microsoft Azure servers, and Microsoft ensures its own SOC 2 Type 2 compliance.