Everlaw Adds Privacy Criteria to Annual SOC 2 Type II Certification

We are proud to announce that Everlaw has added Privacy criteria to annual SOC 2 Type II certification

This is Everlaw’s fourth consecutive year undergoing an independent SOC 2 audit, which has expanded in scope each year. In 2015, we engaged independent auditors for a  SOC 2 Type I audit in Security and Availability. The following year, we completed our first SOC 2 Type II certification in Security and Availability. We added the Confidentiality criteria to the SOC 2 Type II scope, as well as a separate HIPAA compliance assessment in 2017. We added the Privacy criteria to the SOC 2 Type II scope in 2018, in addition to readying our business for GDPR. The annual SOC 2 audit covers our infrastructure in the United States, European Union, Canada and Australia.

What does SOC 2 Type II certified mean?

SOC refers to Service Organization Controls, and SOC 2 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants. A SOC-certified organization is audited by an independent firm which examines the controls and processes involved in storing, handling, and transmitting data securely.

These controls are comprised of a series of standards designed to help measure how well a given service organization, such as a SaaS provider, controls its information. The purpose of these standards is to provide confidence and peace of mind for organizations when they partner with third parties. The Security, Availability, Confidentiality and Privacy criteria have defined requirements and controls which must be met to demonstrate adherence and operational effectiveness, and gain certification.

Why is a Type II certification important?

This is Everlaw’s third year undergoing a SOC 2 Type II audit, while expanding the scope of the audit each year. When evaluating a vendor that will impact an organization’s supply chain security, it’s important to understand the difference between SOC 2 Type I and Type II, as well as whether the certification applies to the vendor itself, not just its cloud provider (such as AWS). Many vendors point to providers’ certifications as evidence of strong security, without addressing their own IT systems and security infrastructure, where sensitive information like customer personal data, communications and contracts are processed or stored.  

A SOC 2 Type I report evaluates and reports on the design of controls put into operation as of a point in time, and a Type II report includes both the design and testing of controls to report on the effectiveness of controls over a period of time, which requires evidence of how an organization operated their controls. For a company to receive SOC 2 Type II certification, it must have sufficient policies and strategies that satisfactorily protect the client’s data, and it must also provide detailed evidence and pass independent testing of their operational effectiveness through the audit testing procedures.

At Everlaw, we are committed to transparency about our security and compliance program. Our Security and Compliance team is continuously improving our program and controls, and we choose not to solely rely on the security and privacy credentials of our service providers. You can reach out to us at security@everlaw.com any time!