Current is SOC 2 Compliant

Nov 14, 2022

8 minutes read

Scott Savarie

Cofounder

An illustration of a lock
An illustration of a lock

Current is now SOC 2 Type 1 compliant. This blog post will dive into what SOC 2 compliance means, how we became compliant, and what it means for you if you want to use Current at your company. If you're interested in Current, join our waitlist.

What is SOC 2 compliance?

If you’re working at a medium-to-large sized company you’ve probably already been a part of a SOC 2 or other compliance effort without even realizing it. Remember all those training videos you need to watch? The security software your laptop comes pre-installed with? The pull-request templates you need to fill out? All of these “big company” things generally get introduced when a company decides to transform how they operate in order to comply with industry standards around security, confidentiality, processing integrity, availability, and privacy. A SOC 2 audit is essentially an independent review of how a business operates, conducted by CPAs (Certified Public Accountants) to determine whether or not you comply with these standards.

As a user of any product where you’re inputting sensitive data or rely on it for work, you want to know that the company behind it cares about SOC 2.

Why (and how) we became SOC 2 compliant

Why we decided to become SOC 2 compliant is quite simple: not being SOC 2 compliant meant most people couldn’t use Current in their workplace. Designers, PMs, and VPs, would be excited to use Current with their team, share it internally, gather interest and excitement, then quickly get shut down by the Vendor Security team. If you’re running a B2B SaaS product, you will inevitably encounter the same barrier to entry, so it’s worth considering how you can become familiar with SOC 2 or other relevant compliance standards (ISO 27001, HIPPA, GDPR, etc) early on.

Luckily there’s been a surge of compliance automation startups that help make the process of becoming compliant with various industry standards much less painful than it was a few years ago. Secureframe, Drata, and Vanta are the three that we met with and considered using. They’re all competing quite equally regarding features, so making a decision about who to partner with essentially came down to a few questions that were important to us as:

Who is running the company?

Do they have a background in compliance? Are they veteran industry professionals? Who are they backed by? Imagine the company ceased to exist in a few years, switching automation tools would actually be a huge time loss.

How “good” is the app?

When choosing a company to partner to work with, you end up getting demos from each one. Knowing that we'd be using this software quite intensely for the next few months and that it would become a core part of our business for the foreseeable future meant we gave extra weight to how well designed it was, how fast it worked, and how bug-free the interface seemed.

Cost

At the moment, we (Logic + Rhythm, the company behind Current) have decided to bootstrap rather than go the traditional venture-backed route. As a result, the price of the yearly subscription played an important role for us. If you’re looking to become SOC 2 compliant, the costs add up quick:

  • Compliance Automation Tool: $7,500–$15,000 per year

  • Penetration Test: $3,000–$5,000

  • SOC 2 Audit: $7,500–$12,000

What was the vibe on the demo call?

As mentioned above, you have to get on calls with sales people before you can sign up to any of these products, so there’s an inherent chance that you either totally click with someone, feel like you’re getting sold to, or just get rubbed the wrong way. Having gone through the entire process, one suggestion we have for any player in the space is to include the Customer Success and Internal Auditors in these calls since, after you sign up, you primarily interface with them and not the sales person.

Culturally, we jived more with the people that took time to understand our business, what our current needs were, and didn’t try to upsell us on additional features that weren’t relevant to us.

After taking everything into consideration we decided to go with Secureframe as our compliance automation partner. They were very helpful throughout the entire process, met with us regularly, and answered any questions we had incredibly fast.

Actually becoming compliant

After choosing a compliance automation partner the real work starts. I was responsible for implementing all of our policies and processes. Kosta—our lead Software Engineer—was responsible for transforming our AWS infrastructure and engineering practices. Once we had all of our tests passing in Secureframe, we met with a few auditors and decided to go with Prescient Assurance.

Why is SOC 2 important for you and your Company?

If you’re a Designer, Engineer, PM, VP, or CEO, you can be assured that we’ve taken the necessary steps for you to get internal approval to use Current at your company. By having undergone a SOC 2 Type 1 audit and external penetration test we’ve demonstrated our commitment to security, confidentiality, processing integrity, availability, and privacy, and can supply an official CPA certified audit report to back it up.

What’s next?

Obtaining our SOC 2 Type 1 compliance is a major milestone for Current, but the buck doesn’t stop there. Type 1 compliance only indicates that we were compliant at the time of our audit. We however, plan to demonstrate that we remain compliant over an extended period of time. As a result, we’re currently in a 6-month observation window for our SOC 2 Type 2 compliance. In addition to this, we’ll look into becoming compliant with other industry standards such as ISO 27001, GDPR, HIPPA, and others, as needed.

If you'd like to see our SOC 2 report, penetration test, or your company requires a different compliance standard, please reach out to us a security@current.so.