At Scispot, we are committed to safeguarding customer data and ensuring the highest level of security across our operations. Our dedication to compliance with SOC 2 standards reflects our proactive approach to security, confidentiality, and availability. Below, we detail the SOC 2 controls implemented at Scispot to protect customer data and maintain trust.
Overview of SOC 2 Compliance
SOC 2 (Service Organization Control 2) compliance is an essential benchmark for organizations managing customer data in the cloud. SOC 2 certification is based on the American Institute of Certified Public Accountants (AICPA) Trust Service Criteria, including principles of security, availability, processing integrity, confidentiality, and privacy.
Scispot’s SOC 2 compliance is continuously monitored and managed through Vanta, ensuring adherence to these principles and maintaining our commitment to data security and privacy.
Key SOC 2 Controls Implemented at Scispot
1. Control Environment:
Code of Conduct: All employees and contractors are required to acknowledge and adhere to Scispot’s Code of Conduct. Violations are subject to disciplinary measures, ensuring a culture of integrity and ethical values.
Human Resource Security Policy: Background checks, confidentiality agreements, and security training are mandatory for all employees and contractors. These controls ensure that only vetted individuals handle sensitive data.
2. Access Control:
Access Requests and Reviews: Access to data and resources is based on job roles, and access is reviewed quarterly. This aligns with the least privilege principle to minimize security risks.
Multi-Factor Authentication (MFA): MFA is enforced for all remote access and administrative accounts, adding an extra layer of security.
Unique Access: All employees have unique usernames, passwords, and SSH keys, preventing unauthorized shared access.
3. Data Encryption and Cryptography:
Data-at-Rest and Data-in-Transit Encryption: Sensitive data is encrypted both at rest and in transit using industry-standard protocols. This protects data integrity and confidentiality during storage and transfer.
Encryption Key Management: Access to encryption keys is restricted to authorized personnel only, following strict cryptographic policies.
4. Vulnerability Management:
Regular Vulnerability Scanning: Host-based vulnerability scans are conducted at least quarterly. High-priority vulnerabilities are tracked and remediated promptly.
Patch Management: Routine patching of infrastructure mitigates potential vulnerabilities, with scanning results verified through Vanta’s continuous monitoring system.
5. Incident Response:
Incident Response Plan: Scispot has a documented and tested Incident Response Plan. The plan outlines steps for identifying, containing, and addressing incidents, ensuring rapid recovery.
Employee Training: All employees receive annual training on incident response protocols, enhancing readiness to manage potential incidents.
6. Risk Management:
Annual Risk Assessments: Scispot conducts comprehensive risk assessments annually, evaluating environmental, regulatory, and technological changes.
Vendor Management: All third-party vendors undergo security assessments and are subject to Scispot’s third-party management policies.
7. Change Management and Secure Development Lifecycle (SDLC):
Change Approval Process: All changes to software and infrastructure are documented, tested, reviewed, and approved before production deployment.
SDLC Policies: Our Secure Development Policy mandates secure coding practices, vulnerability testing, and monitoring.
8. Monitoring and Logging:
Log Management: Scispot employs extensive log management to track and review critical system activities, ensuring accountability and enabling rapid response to unusual activities.
Intrusion Detection: An intrusion detection system monitors network traffic, alerting our team to potential threats.
9. Physical and Logical Access Controls:
Firewall and Network Segmentation: Scispot utilizes firewalls and network segmentation to isolate critical systems and prevent unauthorized access.
Device Management: All devices accessing sensitive data are managed via Mobile Device Management (MDM), ensuring compliance with security policies.
Continuous Compliance Monitoring with Vanta
Through Vanta, Scispot continuously monitors all SOC 2 controls, including IT infrastructure, HR policies, and data handling procedures. This ongoing assessment helps us maintain SOC 2 compliance while quickly addressing any identified gaps.
Summary
Scispot’s SOC 2 compliance demonstrates our dedication to providing a secure, reliable environment for our customers. With robust controls across security, access, incident response, and risk management, we ensure data remains protected and secure at every level of our organization.
For any further questions on Scispot’s SOC 2 compliance or security practices, please reach out to our team at [email protected]
Here is the PDF that highlights all the controls that Scispot monitors and satisfies in real time.