What is SOC 2 compliance?
For those unfamiliar, SOC 2 is a certification developed by the AICPA and is considered the gold standard information security standard. To achieve SOC 2 compliance, you engage a third-party auditor who evaluates your organization to assess whether you have adequate security policies and controls.
The policies and controls encompass things like company oversight (employee security training, background checks), software development lifecycle (issue tracking, testing, version control), application infrastructure security & monitoring (data storage & management standards, vendor reviews, vulnerability scans & penetration tests), and access controls (account de-provisioning, two-factor auth, malware detection).
A ‘Type 2’ report goes a step further than a ‘Type 1’ report and evaluates that your controls and policies are not only sufficient but that they’ve been enacted throughout the audit period. That’s the difference between having a document describing what you do if you discover a vulnerability and having evidence that you do what you say you will.
We opted to go straight for Type 2 because we wanted our SOC 2 report to reflect our commitment to the organizational and security standards we’ve defined and not just be a rubber stamp.
Dopt’s SOC 2 compliance process
We use Drata to help us manage our compliance process. They simplify managing policies and evidence of controls, automating the tedium of taking hundreds of screenshots that getting SOC 2 compliance used to entail. That lets us spend less time pulling together our evidence for the audits but also ensures that we get notified immediately of any issues with our controls that may arise so we can quickly resolve them.
Security is more than just SOC 2
Our customers trust Dopt with some of their most critical product experiences and customer data. We take that responsibility very seriously. Dopt’s developer-first approach allows our customers to realize the speed, quality, and flexibility benefits of Dopt’s platform without taking on outsized security risks:
- Dopt doesn’t require any PII to function: you can send us anonymized identifiers for your users. The user and group properties that typically get identified to Dopt are things like a user’s role, a question they answer during sign-up regarding what their use case is, how many times they’ve performed an action (like creating a doc or chart), when they signed up, and their company’s plan or trial status. These typically aren’t considered PII by most organizations.
- Our SDKs and API clients are open source and bundled in your app; you use them to call our API with a (potentially anonymized) user identifier to receive the flow state for that user and any content you’ve defined in Dopt. The states we return are boolean values, and the (optional) content contains product copy, image URLs, and links to public assets.
- Most importantly, we don’t execute any code you don’t explicitly invoke or collect any information you don’t explicitly send us. The same can’t be said for the other product adoption platforms out there (you can read more about how our approach fundamentally differs from the existing tools here).
Getting our SOC 2 Type 2 compliance is a great recognition of the work the team has put in from day one to architect a robust and secure system and a validation that we have the right processes in place to ensure the security of our customers’ data.
We’ll continue to invest in our security practices and the certifications that help us demonstrate our commitment to them. We’d love to hear what’s important for you and your organization; if you have any security-related feedback or questions, get in touch with us at firstname.lastname@example.org. We’d be happy to discuss your specific scenario and requirements and are happy to sign a custom DPA for customers on our Scale plan.