We are proud to announce that Gatsby is now SOC 2 Type 2 certified for the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Following our successful SOC 2 Type 1 audit that concluded at the end of September 2021, we spent the six month period between October 2021 through March 2022 in evaluation for SOC 2 Type 2, and attained a successful audit with no control exceptions!
Our journey toward SOC 2 compliance began a year ago when I joined Gatsby to build out and mature our cybersecurity program. Top of mind—in addition to building a robust technical security program—was to build a path toward a successful SOC 2 attestation. We chose SOC 2 as a compliance framework, as it’s one of the best industry-recognized standards for service organizations to demonstrate maturity around IT security and data protection controls.
The SOC 2 standard is broken out into five Trust Services Criteria (TSCs): Security, Availability, Confidentiality, Processing Integrity, and Privacy, each with its own subset of controls. Security has the largest set of associated controls and is also the only TSC that is mandatory for a successful SOC 2 attestation. Organizations choosing to be audited against the standard may choose additional TSCs. We at Gatsby chose to be audited against the Security, Availability and Confidentiality standards.
- Security: Criteria that evaluates if a service organization has taken steps to help prevent and minimize the risks that would arise from a security incident or unauthorized access.
- Availability: Evaluates if a service organization can demonstrate controls that contribute to service availability.
- Confidentiality: Evaluates that a service organization has adequate controls to identify, categorize, and protect confidential data.
In implementing SOC 2 controls across our organization, we chose to engage with Laika, a company that specializes in helping organizations implement compliance controls successfully. Laika has proven to be a tremendous partner, helping us not only meet, but exceed the control standards required for SOC 2. Laika was also instrumental in helping tailor the SOC 2 controls for our unique organizational needs.
…but, compliance isn’t security
I’ve said it before, and I’ll continue to say it. While we are proud to have achieved a successful SOC 2 Type 2 compliance audit, compliance isn’t security! A well-thought-out security program requires much more care, especially in the modern era when data breaches and security incidents are (unfortunately) commonplace.
Examples of how we aim to exceed compliance standards include:
- SOC 2 requires a vulnerability management program. At Gatsby, we have moved toward a continuous vulnerability patching system, where our virtualized cloud servers and microservices are patched automatically and configured by default to be hardened. We additionally monitor patching status on a continuous basis to ensure coverage.
- SOC 2 requires an annual penetration test. We have built an internal offensive security program, regularly conducting internal network and application-level assumed breach penetration testing. We have also sought out top talent to conduct our third-party penetration tests. Our most recent penetration test was conducted by Red Siege, a top name in penetration testing and red teaming.
- SOC 2 requires that a company be aware of the types of data within the organizational infrastructure. At Gatsby we take additional steps to securely architect our service to segment trusted and untrusted portions of our application infrastructure and to isolate each customer’s data into separate hardened environments.
- SOC 2 requires that a company maintain Incident Response and Disaster Recovery policies that are reviewed annually. At Gatsby, we not only conduct such reviews, but also conduct quarterly Incident Response tabletop exercises and Disaster Recovery simulations to ensure our procedures are well tested in event of an emergency.
We also aim to give back to our customers and the Gatsby community. Over the last year we have conducted several webinars aimed at helping Gatsby developers produce secure websites and web applications. Our goal is to not only deliver a trustworthy development environment for our customers and free users, but to provide the knowledge and tools to secure the Gatsby ecosystem as a whole.
The work will never be complete, but today we have a strong foundation to continue to build on to protect your data.