Safeheron Attains SOC 2 Type I Certification, Adhering to the Highest Standards of Data Security

Safeheron, an open-source digital asset MPC self-custody solution provider, announces the attainment of SOC 2 Type I certification for data security and privacy standards. The achievement provided by Deloitte, a leading global provider of audit and related services, assessed if the design of security processes and controls are in line with compliance, ensuring that Safeheron's security design, organizational controls, etc. have been fully implemented.

Furthermore, the Deloitte team has been auditing Safeheron for the SOC 2 Type II certification. This certification assesses how effective the security system and those controls are over time, protecting customer data from unauthorized access and maintaining system security, user data confidentiality and privacy. SOC 2 Type II will further demonstrate Safeheron's capabilities in open-source transparency, security, and reliability, as well as the commitment to protecting our clients' assets and data.

Q & A

Why did Safeheron choose SOC 2 certification?

SOC 2 covers internal controls over information systems, the gold standard for providing that assurance. The AICPA also has two other SOC reports they issue: SOC 1 and SOC 3. SOC 1 is about controls over financial reporting while SOC 3 covering information security just like SOC 2 does, but SOC 3 is just a summary report of an organization’s cybersecurity program. As an MPC-based self-custody technology provider, Safeheron values user data security and privacy as core, therefore, we have prioritized SOC 2 certification.

What are the criteria for SOC 2 certification?

The SOC2 Type I report of Safeheron covers security, confidentiality and privacy.

SOC 2 certification focuses on the controls that are relevant to the Trust Services Criteria (TSC), security, availability, processing integrity, confidentiality and privacy, which are established by the American Institute of Certified Public Accountants (AICPA).

Among the 5 criteria, security is the must and confidentiality should be included. Most SaaS companies typically select the security, availability, and confidentiality criteria.

What are the differences between SOC 2 Type 1 and Type 2 certification?

Safeheron has attained SOC 2 Type I certification, and has proceeded with SOC 2 Type II auditing.

SOC 2 Type I reports evaluate a company’s controls at a single point in time. It certifies the proper design and architecture of security controls.

SOC 2 Type II reports assess how those controls function over a period of time, generally 3-12 months. The reports appraise whether the security controls a company has functioned as intended.

SOC 2 Type I certification is the first phase for Safeheron SOC2 certification, how long did it take to secure the certification?

The whole process, from auditing to being certified, takes 5 months.

How to prepare for a SOC 2 audit?

Preparing for and completing a SOC 2 audit mainly falls on a Chief Information Security Officer (CISO) and their team. Before the audit starts, the organization needs to take gap assessments and fill in the needed controls to get audit-ready.

Generally, the preparation can be as follows:

What Safeheron Has Prepared

As a self-custody security infrastructure, Safeheron focuses on optimizing internal security controls and enhancing security protection based on the existing security architecture and controls. Such as:

• Utilize data breach detection tools to protect all end users from sensitive data leakage.

• Employ antivirus protection software to protect all end users, ensuring endpoint protection against viruses and malware.

• Utilize endpoint management software to restrict the software installation. The system automatically removes and blocks software not on the whitelist, so that setting a certain limit on installation for end users against malware (eg.phishing App) installation.

• Safeheron's security team reviews and updates all internal security regulations to ensure comprehensive auditing and effectiveness before implementation.

• Safeheron conducts kinds of disaster recovery drill and retrospective meetings, such as drills and retrospective meetings of unresponsive key system managers, backup data recovery, sensitive data backup and recovery.

• Safeheron's security team promotes information security training and conducts regular information security exams involving all employees.

In addition to security controls, Safeheron standardizes company management and processes, such as drafting comprehensive security policy documents, regularly conducting risk management and compliance assessment, and implementing stringent safety requirements and compliance standards with vendors and partners.

In terms of financial management, Safeheron establishes strict financial control and reporting processes and conducts internal audits to ensure the effectiveness and compliance of financial procedures and operations.

Furthermore, Safeheron's preparation also includes organizing and filing financial records and documents, as well as regularly undergoing external audits and compliance reviews.

What is a SOC 2 Type I audit process like?

For Safeheron, the audit was a mixture of remote work and on-site audit.

What are the common challenges to getting a SOC 2 Type I certification? During its audit, what problems did Safeheron encounter and how were they solved?

For most companies, a major challenge for completing a SOC 2 audit lies in administrative controls. Some companies can make mistakes where certain policies or procedures are not carried out correctly, or some times, the controls aren’t in place at all. Such as:

Another challenge lies in technical security controls. While many companies implement technical security controls since their inception, there are still some controls haven’t be fully implemented according to SOC 2 compliance. Such as:

Safeheron has established and continuously improved its internal security system since its inception. Being audited for SOC 2 Type I certification helps us identify and address any gaps, enahnce existing controls, and adapt security designs as needed, while always guaranteeing the effective implementation of internal security controls.

What are the main sections in the SOC 2 Type I report?

A SOC 2 report has 5 main sections as the following:

What impact does obtaining SOC2 Type I certification have on enterprises, especially blockchain companies?

Security and compliance are essential prerequisites for the development of numerous enterprises, especially in the infancy of the blockchain industry where security and compliance are also in their early stages.

SOC 2, the most recognized information security compliance standard that comprehensively reflects a vendor's security capabilities, ensures that service providers can effectively manage user data in a secure manner, safeguarding the interests of organizations and user privacy.

For Safeheron, obtaining SOC 2 Type I certification is a significant milestone. As an MPC-based self-custody infrastructure, we walk the talk with our technology, utilizing proprietary technology and fully embracing the open-source community. By continuously advancing security certifications, we not only prove our ability to implement security measures and maintain compliance but also demonstrate our unwavering commitment to secure customer data security and privacy.

The SOC 2 Type I certification further showcases Safeheron's original aspiration to maintain highly compliant and secure standards. Safeheron remains committed to becoming the premier self-custody security infrastructure for digital assets in the industry, empowering customers with complete control over their private keys and assets, while also enhancing security and efficiency.

References:

Crypto firms build confidence through SOC 2 reporting, Deloitte

How to get a SOC 2 certification: A comprehensive guide., Rob Black

Breaking Down SOC 2 Reports: How to Prepare and Review Each Section, Kyle Cohlmia