Safeheron Attains SOC 2 Type I Certification, Adhering to the Highest Standards of Data Security
06/16/2023
Last updated
06/16/2023
Last updated
Safeheron, an open-source digital asset MPC self-custody solution provider, announces the attainment of SOC 2 Type I certification for data security and privacy standards. The achievement provided by Deloitte, a leading global provider of audit and related services, assessed if the design of security processes and controls are in line with compliance, ensuring that Safeheron's security design, organizational controls, etc. have been fully implemented.
Furthermore, the Deloitte team has been auditing Safeheron for the SOC 2 Type II certification. This certification assesses how effective the security system and those controls are over time, protecting customer data from unauthorized access and maintaining system security, user data confidentiality and privacy. SOC 2 Type II will further demonstrate Safeheron's capabilities in open-source transparency, security, and reliability, as well as the commitment to protecting our clients' assets and data.
SOC 2 covers internal controls over information systems, the gold standard for providing that assurance. The AICPA also has two other SOC reports they issue: SOC 1 and SOC 3. SOC 1 is about controls over financial reporting while SOC 3 covering information security just like SOC 2 does, but SOC 3 is just a summary report of an organization’s cybersecurity program. As an MPC-based self-custody technology provider, Safeheron values user data security and privacy as core, therefore, we have prioritized SOC 2 certification.
The SOC2 Type I report of Safeheron covers security, confidentiality and privacy.
SOC 2 certification focuses on the controls that are relevant to the Trust Services Criteria (TSC), security, availability, processing integrity, confidentiality and privacy, which are established by the American Institute of Certified Public Accountants (AICPA).
Among the 5 criteria, security is the must and confidentiality should be included. Most SaaS companies typically select the security, availability, and confidentiality criteria.
Security
Information and systems are protected against unauthorized access (both physical and logical), unauthorized disclosure of information.
Availability
Information and systems are available for operation and use as committed and agreed. It refers to accessibility of system, products or services as the firm committed.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Confidentiality
Information designated as confidential is protected to meet the entity’s objectives.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with entity’s objectives.
Safeheron has attained SOC 2 Type I certification, and has proceeded with SOC 2 Type II auditing.
SOC 2 Type I reports evaluate a company’s controls at a single point in time. It certifies the proper design and architecture of security controls.
SOC 2 Type II reports assess how those controls function over a period of time, generally 3-12 months. The reports appraise whether the security controls a company has functioned as intended.
The whole process, from auditing to being certified, takes 5 months.
Preparing for and completing a SOC 2 audit mainly falls on a Chief Information Security Officer (CISO) and their team. Before the audit starts, the organization needs to take gap assessments and fill in the needed controls to get audit-ready.
Generally, the preparation can be as follows:
Gap Assessments
Assess the gap between the current internal system and SOC 2 criteria, and fill in the controls needed.
Technical Controls
Implement the needed controls accordingly to improve security and ensure compliance.
Policies and Procedures
Adjust internal policies and procedures to be audit-ready.
Create Contents
These contents will be key documentationfor a SOC 2 audit, including policies, procedures and reports.
Risk Assessment
Risk assessments are mandatory for SOC 2 compliance, which shall be effectively performed and write the report afterwards.
Vendor Evaluation
Manage and Evaluate and manage vendors effectively to ensure SOC 2 compliance.
Internal Audit
Promptly identify issues through internal audits and take necessary measures to ensure SOC 2 compliance.
Employee Training
Conduct employee training and record training and its effectiveness. The training should cover aspects such as company's security policies, procedures, controls, risk identification, emergency response, as well as the relevant requirements of SOC 2 compliance. The effectiveness of the training should be assessed and improved through examinations, questionnaires, feedback, etc., to ensure that employees comply with SOC 2 criteria.
Emergency Plan
Plan emergency schemes and test the feasibility and effectiveness of these plans. The emergency plans should cover various scenarios that may affect the company's SOC 2 compliance with clearly defined person in charge, response processes, communication channels, recovery procedures, etc. Regular drills and assessments should be conducted to enhance the company's emergency response and recovery capabilities.
As a self-custody security infrastructure, Safeheron focuses on optimizing internal security controls and enhancing security protection based on the existing security architecture and controls. Such as:
In addition to security controls, Safeheron standardizes company management and processes, such as drafting comprehensive security policy documents, regularly conducting risk management and compliance assessment, and implementing stringent safety requirements and compliance standards with vendors and partners.
In terms of financial management, Safeheron establishes strict financial control and reporting processes and conducts internal audits to ensure the effectiveness and compliance of financial procedures and operations.
Furthermore, Safeheron's preparation also includes organizing and filing financial records and documents, as well as regularly undergoing external audits and compliance reviews.
For Safeheron, the audit was a mixture of remote work and on-site audit.
For most companies, a major challenge for completing a SOC 2 audit lies in administrative controls. Some companies can make mistakes where certain policies or procedures are not carried out correctly, or some times, the controls aren’t in place at all. Such as:
Review access control management for all key systems, including permissions, account statuses, and tiered access.
Another challenge lies in technical security controls. While many companies implement technical security controls since their inception, there are still some controls haven’t be fully implemented according to SOC 2 compliance. Such as:
To enhance software security and reliability, companies need to standardize and optimize the software development process and manage the whole software lifecycle in accordance with SOC 2 compliance.
Safeheron has established and continuously improved its internal security system since its inception. Being audited for SOC 2 Type I certification helps us identify and address any gaps, enahnce existing controls, and adapt security designs as needed, while always guaranteeing the effective implementation of internal security controls.
A SOC 2 report has 5 main sections as the following:
Auditor’s Report
Written by auditors, this section highlights whether or not your organization “passed” the assessment, which is categorized as either qualified or unqualified.
Management Assertion
This section acts as a precursor to System Description, allowing your organization to state that you prepared and implemented your system descriptions.
System Description
This section includes important information regarding the people, processes, and technology that support your product or service, serving as an overview of your organization’s systems and controls in place.
Description of Criteria
This section lists all your controls that were evaluated, an index where you can easily find the most relevant information from your audit.
For Type I reports, this section only indicates the auditor’s evaluation if the controls were designed properly within a specific period of time.
Other Information (optional)
This section is where your organization can provide additional information relevant to your audit, for example, a response to any exceptions found during the SOC 2 report.
Security and compliance are essential prerequisites for the development of numerous enterprises, especially in the infancy of the blockchain industry where security and compliance are also in their early stages.
SOC 2, the most recognized information security compliance standard that comprehensively reflects a vendor's security capabilities, ensures that service providers can effectively manage user data in a secure manner, safeguarding the interests of organizations and user privacy.
For Safeheron, obtaining SOC 2 Type I certification is a significant milestone. As an MPC-based self-custody infrastructure, we walk the talk with our technology, utilizing proprietary technology and fully embracing the open-source community. By continuously advancing security certifications, we not only prove our ability to implement security measures and maintain compliance but also demonstrate our unwavering commitment to secure customer data security and privacy.
The SOC 2 Type I certification further showcases Safeheron's original aspiration to maintain highly compliant and secure standards. Safeheron remains committed to becoming the premier self-custody security infrastructure for digital assets in the industry, empowering customers with complete control over their private keys and assets, while also enhancing security and efficiency.
Crypto firms build confidence through SOC 2 reporting, Deloitte
How to get a SOC 2 certification: A comprehensive guide., Rob Black
Breaking Down SOC 2 Reports: How to Prepare and Review Each Section, Kyle Cohlmia