Security Update: Smooch is Now SOC 2 Type I Compliant

At Smooch, we take security seriously. Thousands of businesses rely on our services to communicate safely and reliably with their customers. When it comes to quality of service, uptime, change management, and the protection of sensitive data, our customers have high expectations and we try to exceed them.

As part of our commitment to security, we’re excited to announce that we have officially achieved SOC 2 Type I compliance!

The journey to SOC 2

After considering other security certifications, we found that SOC 2 made the most sense for our business, our space and our customers. It covers our customers’ security due diligence, with the benefit of not drowning us in too much paperwork and processes.

We worked with one of the leading international auditing firms towards a SOC 2 Type I audit. The goal was to assess that we have all the controls in place to satisfy the selected “principles”, Security and Availability, and their underlying criteria.

It is not easy for a startup like Smooch to pull this off. It was crucial for us to avoid overwhelming the team with loads of new processes and tools, and slowing down product development.

The first step was to go through a gap assessment that was planned in Q4 of 2017. The outcome of this exercise was a long to-do list that covered various aspects of the company’s processes.

Then was time to get a variety of new processes in place and write new internal policies. The whole process can be quite cumbersome with a laundry list of items to track. But we found that it brought a lot of clarity to our internal processes, and was absolutely worth the investment for both our company and our customers.

What does SOC 2 cover?

In a nutshell, processes and systems are broken down into multiple categories, all of which are reviewed in-depth during the audit:

Organization and Management

Here we lay the foundation for areas of internal control, including integrity and ethical values and competence assessment, a well-communicated direction, organizational structure, and HR policies and practices, etc.

Risk management

The goal here is to establish the existence of a cross-functional risk assessment process to assess and manage risks that could affect the organization's ability to provide reliable services to its customers.

Monitoring of controls

Here is where we assess that we have the set of tools, reports, and processes to monitor the results of the various business processes. Regular reviews of the reports, logs and records must be done to ensure all exceptions are resolved.

Logical and physical access controls

Given all our infrastructure is based in the cloud, this part mostly covers whether we have sufficient processes to give internal access to our tools and services. Important aspects are the role-based security architecture and the tracking of all requests and changes. Every asset must have an assigned owner.

System Operations

This category covers all operational aspects of our platform, from intrusion detection systems (IDS), hardening, vulnerability scanning, monitoring of all critical components, alerting and escalation policies.

Change management

Change management is one of the most important and velocity-impacting parts of this process. We walked the auditors through all the steps for deploying a piece of software — or other changes — to production. They made sure we logged and approved all steps, have rollback plans, and assess the security, availability and overall risk of each change.

Availability

Last but not least, we demonstrated that we have a highly available architecture and that we have all the required processes in order to deploy, maintain, secure and, in case of a disaster, recover each one of them.

It's now official!

As of June 30 2018, Smooch has completed its SOC 2 Type I audit for the Security and Availability Trust Services Principles. This is the first step of a long journey towards achieving SOC 2 Type II, expected next year.

Many thanks and kudos to the team for adapting to all these new processes.
Our SOC 2 Type I report is available upon request. Do contact us for more information.