A 5 Step Guide to Getting SOC 2 Certified - Nylas

A 5 Step Guide to Getting SOC 2 Certified

5 min read

Trust is earned, not engineered.

But careful engineering actually plays a critical role in growing and maintaining customer trust. This is why we are incredibly happy to announce our SOC 2 certification for security and confidentiality. Here, we’ll provide our roadmap to SOC 2 certification.

21972-312_SOC_NonCPA

What is SOC 2 Anyways?

SOC 2 is one of the most sought after standards in security and compliance. It stands for System and Organization Controls, and encompasses everything from how you run your engineering systems, to HR processes like updating job descriptions and onboarding new hires.

SOC 2 represents the highest degree of excellence in systems and operations control. A company can pursue SOC 2 certification in different areas of their organization – Security, Availability, Processing Integrity, Confidentiality, and Privacy. In SOC 2 terms, these areas are called trust principles.

Step 1: Bring in Credible Outside Auditors

In order to examine your security standards with complete objectivity, you’ll want to bring in a fresh set of eyes (and experts) to help map a path forward that ensures your product will be compliant and follow best practices for the future.

That’s where the auditors come in. At Nylas, we selected A-LIGN’s team to achieve SOC 2 certification.

The first step in the process is getting a sense of the distance between your current operational processes and SOC 2 compliant processes. A-LIGN asked our team hundreds of questions regarding the trust principles of security and confidentiality to identify what worked and what needed improvement.

A-LIGN gave us a proverbial snapshot of our current state of security and confidentiality. From there, it was up to us to figure out how to tweak or add security features to reach SOC 2 compliance.

Step 2: Select Security Criteria for Auditing

When pursuing SOC 2 compliance, you can select the pillars or criteria that you’d like to focus on. These include:

  • Security: Is your system protected against unauthorized access (physical and logical)?
  • Availability: Is your system available for operation and use as you’ve agreed to with your customers?
  • Processing Integrity: How does your system process data, including all customer data and PII? Is it accurate, timely, and authorized?
  • Confidentiality: Do you protect confidential information as you’ve agreed to with your customers?
  • Privacy: Do you collect, retain, disclose, or delete personal data in compliance with your privacy policy, with the criteria set forth in the Generally Accepted Privacy Principles (GAPP)?

At Nylas, we chose to focus on the security and confidentiality certifications is because of our commitment to reliability, transparency, and accountability around how our API processes billions of emails, calendar, and contacts data. Security is always important, but it’s even more paramount when dealing with email data. We wanted to assure our customers that we handle sensitive information properly and have built a rock-solid processes to defend and secure that sensitive information.

Simply maintaining security practices isn’t enough- you have to make sure that each security measure is well-documented and that there’s a team transparently evaluating the performance of that infrastructure.

Step 3: Building a Roadmap to SOC 2 Compliance

After meeting with your auditor, you’ll want to build a roadmap to achieve SOC 2 compliant systems and processes. It’s a true cross-functional, multi-week project that requires a lot of hands-on time.

Once you’ve built out SOC 2 compliant processes, follow them religiously as if the credibility of your company depends on it (hint: it does). These processes will cover everything from ensuring that there’s tiered access to PII data, to protecting your company’s internal confidential data.

For example, if it’s your first day on the job as a designer, it’s unlikely you’ll need to review sensitive customer data. Building tiered account access ensures that you cannot access customer data unless it’s material to your job. The principle of information security must be backed up by a system to enforce it. That system has to be followed to the letter, every time.

Step 4: The Formal Audit

A few months later, your auditor will do a formal audit to see how you’ve built SOC 2 compliant systems and if you followed the proper processes managing those systems. Like before, you’ll answer hundreds of questions about security and confidentiality. To prove that you actually follow these policies, we recommend submitting evidence that validated that you followed your established checks and balances. At the end of the audit, assuming all processes have been well-documented and follow, you’ll be determined to be SOC 2 compliant in the criteria you selected!

Step 5: The Road Ahead — Certification and Re-Certification 

The work isn’t over after you’ve been certified. To maintain certification, you’ll need to undergo regular annual audits to ensure that your security measures and documentation scale with your organization.

About Nylas: Our customers and their users send data to and receive data from Nylas. In that sense, Nylas functions like an API-powered bridge, connecting applications to businesses, businesses to customers, customers to their favorite companies. We’re making sure that bridge gets better every day. We’re working to become certified in additional trust principles, reviewing ISO27001 certification, while maintaining our current SOC 2 certification in future audits. SOC 2 compliance in security and confidentiality is just one critical step in that journey.

Related resources

Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are…

Building a security-first culture in your organization

In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…

Nylas’ Response to the Log4j Vulnerability

At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.