Altocloud is a SOC 2-certified vendor; we validate our processes, people, and capabilities for securing of end-customer data.
This article provides an overview of the Service Organization Controls (SOC) 2. These services validate the security of a provider’s physical and organizational structure and services.
What is SOC 2?
SOC 2 is an auditing procedure specifically designed for service providers storing customer data in the cloud, which means it applies to almost every SaaS company or any company that uses the cloud to store customer data. SOP 2 ensures SaaS providers are securely managing data to protect the privacy of their customers.
A SOC 2 report is an attestation report that provides controls and assurance over a defined set of the service provider’s systems. The report includes details of the test results, controls, and specific tests performed. Each report covers a defined period, which is agreed on between the service auditor and service provider.
The EU GDPR definition of what constitutes PII can be found here.
Five Trust Service Principles (TSPs)
The SOC 2 report can include one of the following five Trust Services Principles (TSPs):
- Security – The system resources are protected against unauthorized access.
- Availability – The system is available for operation and use as specified by a contract or Service Level Agreement (SLA).
- Processing Integrity – The system processing is complete, accurate, timely, and authorized.
- Confidentiality – The data is restricted to a specified set of persons or organization and protected according to policy agreement.
- Privacy – The personal collection of system data, used, retained, disclosed and disposed in accordance with an organization's privacy notice.
Processes that ensure a highly functional and secure customer environment
- Extensive screening is performed during the hiring process to ensure the integrity of all team members.
- Servers are highly available, consistently exceeding 99.9% uptime.
- 100% of customer data is backed up. There are multiple online replicas with additional snapshots and other backups.
- Secure system monitoring is performed 24x7x365.
- Proactive customer notifications alert customers to any customer-impacting situations.
- Data is encrypted. Basic storage access does not allow customer data to be accessed.
- User access requires to customer data multi-factor-authentication. Transactions are audited.
Product and application security
- Customer communications are protected. APIs and chat sessions are encrypted in transit using HTTPS, and voice and video sessions are encrypted using DTLS.
- Quality code review and deployment processes are rigorously followed. Automated static code analysis and human review ensures development best practices are implemented across numerous monthly code pushes.
- Advanced logging, alerting, and aggregation tools provide instantaneous and reliable anomaly alerting.
Infrastructure and data security
- Altocloud is hosted on AWS, the world’s leading data center provider. Access is strictly controlled and monitored 24x7 by on-site security staff, biometric scanning and video surveillance. Data center partners are SOC 2 and ISO 27001 certified and provide N+1 redundancy to all power, network, and HVAC services.
- Our hosting strategy includes multi-location, geographic diversity. Our product suite is hosted on geographically separate data centers in both the US and Europe. Altocloud’s infrastructure lives in three distinct availability zones to ensure lead generation and sales support are available anytime.
- Everything is redundant. Databases, application servers, web servers, jobs servers, and load balancers as well as backend support services all have multiple failover instances to prevent outage from single points of failure.
- Enterprise-grade firewalls, routers, and Intrusion Prevention Systems (IPS) protect the infrastructure and prevent network-based attacks.
- Altocloud’s hosting partners’ around-the-clock vulnerability scanning process looks for flaws in product and corporate infrastructures along with validating security hardening best practices are in place. This ensures resilience in all layers of the technology stack.
- Altocloud uses a flexible infrastructure. The highly automated server infrastructure is designed with rapid provisioning and de-provisioning principles. Server instances are automatically and consistently built and torn down within minutes as needed to size the infrastructure appropriately and respond to customer needs.
- Rapid patch management process pushes all the latest security updates fast. Patching is generally handled by deploying new server instances with the most up to date patches and de-provisioning out of date servers, as opposed to traditional and slow patching processes.