Taking Legal Tech Security Seriously, Part II: SOC 2 Type II Audit Certification

by Lisa Hawke

Reading Time — 2 minutes

September 30, 2016

Here at Everlaw, we take security seriously, and protecting data is a top priority. A few months ago, I introduced myself as Everlaw’s new Director of Policy and Compliance and mentioned that I was leading our SOC 2 Type II audit. We are proud to announce that Everlaw successfully completed a SOC 2 Audit Type II examination over the Security, Availability, and Confidentiality principles, demonstrating that our system is designed and operates effectively to keep our clients’ sensitive data secure.

What does SOC 2 Type II certified mean?

We’ve talked about cloud versus on-premise security and cloud security features before, so how do we walk the talk at Everlaw? SOC refers to Service Organization Controls, and SOC 2 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants. A SOC certified organization is audited by an independent firm which examines the controls and processes involved in storing, handling, and transmitting data securely.

These controls are comprised of a series of standards designed to help measure how well a given service organization, such as a SaaS provider, controls its information. The purpose of these standards is to provide confidence and peace of mind for organizations when they partner with third parties. Each of the principles, such as Security, Availability, and Confidentiality, have defined criteria and controls which must be met to demonstrate adherence to the principles and gain certification.

What is the difference between SOC 2 Type I and Type II?

Last year, we announced that we received a SOC 2 Type I certification in Security and Availability. This year we expanded the scope of our audit to include Confidentiality and chose to undergo a Type II evaluation.

So, what is the difference? A Type I report evaluates and reports on the design of controls put into operation as of a point in time, and a Type II report includes both the design and testing of controls to report on the effectiveness of controls over a period of time, which requires evidence of how an organization operated their controls. For a company to receive SOC 2 Type II certification, it must have sufficient policies and strategies that satisfactorily protect the client’s data, and it must also provide detailed evidence and pass independent testing of their operational effectiveness through the audit testing procedures.

At Everlaw, we are committed to security and transparency. In furtherance of this commitment, I am working full-time on our security and compliance program, and we choose to undergo rigorous testing by an independent third party auditor rather than merely relying on the security credentials of our service providers. Our successful completion of this voluntary SOC 2 Type II examination illustrates Everlaw’s ongoing commitment to create and maintain the most stringent controls for the protection and security of our customers’ confidential information.

Learn more about security and compliance at Everlaw.

Lisa Hawke, a former environmental scientist and lawyer specializing in privacy, security and compliance, has written articles for publication in TechCrunch, Bloomberg Law, LegalTech News, Above the Law, SCCE Magazine, Ethikos, and the Suffolk University Law Review.