Kinde is SOC 2 compliant

Kinde is officially SOC 2 compliant!

We’ve recently completed an audit by AssuranceLab and received an attestation for SOC 2 Type 1 with the security, availability, and confidentiality Trust Service Criteria.

This is another huge milestone for Kinde, and demonstrates how we continue to prioritize the protection of customer data and the security of our systems.

• Download Kinde’s SOC 2 Attestation Confirmation
• Contact us for a copy of the full SOC 2 auditor’s report

Learn more about compliance at Kinde.

SOC 2 is a globally-recognized compliance framework for system integrity and security in service organizations. Here’s the definition straight from the organisation who wrote SOC 2, the American Institute of Certified Practicing Accountants (AICPA):

A SOC 2 examination is a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

SOC 2 is the primary compliance framework for businesses based in the US. As we expand into the US market, we know many of our customers need their core service providers to be SOC 2-compliant, for their own security programs.

There is no certification for SOC 2. What you get instead is an ‘attestation’. You get this from a Certified Practicing Accountant (CPA), who provides a qualified opinion about whether your business adheres to SOC 2 controls and if there are any exceptions.

The final output is a highly detailed report about your business and your product. It includes a list of the Trust Services Criteria matched to the CPAs list of controls, which they audited your business against. You also get a SOC 2 Attestation Confirmation.

Our existing ISO 27001 certification definitely helped make the SOC 2 audit go very smoothly, but there are some clear differences with SOC 2.

• SOC 2 feels like it has a more consistent baseline, with controls that apply regardless of business size. An example is in the area of change management. With SOC 2, the controls for auditing production changes apply regardless of whether you’re a 5- or 50-person team.
• SOC 2 is written a bit differently. It uses what they call Trust Services Criteria, which describe points of focus. Your auditor then interprets those points of focus into a list of security controls that you need to prove. A different auditor might provide a slightly different list.
• SOC 2 includes controls focused on general business management, in addition to security. ISO tended to stick very close to security-based controls, but SOC 2 had a broader scope with topics like recruitment, board of directors oversight, and code of conduct.

Kinde has a SOC 2 Type 1. This means we were audited against the SOC 2 Trust Services Criteria at a specific point in time, demonstrating that we’ve implemented the necessary processes and procedures.

From here on, Kinde will perform a SOC 2 Type 2 each year, which means we’ll be audited against the SOC 2 Trust Services Criteria over a 12 month period. The auditor checks that we remain compliant over the next 12 months by taking samples throughout the year. For example, they might look at our change management records to verify that we’ve followed procedures, or review our external vulnerability scanning reports.

So next year’s audit (and every audit after that) will be a SOC 2 Type 2.

A big shout out to AssuranceLab for performing the audit and being extremely helpful and personable along the way. It’s great to work with an audit team that you can talk plainly with and express ideas.

An extra massive shout out to the team here at Kinde, who all got involved at some point, and helped make this a smooth process.

For any founders and startups looking into SOC 2 compliance, feel free to reach out to the team with questions. We’d be happy to help provide insight into what we learned and how we approached the audit.