SOC 2 Type II Compliance and Why It Matters

Since Jacob and I started RevenueCat, security and reliability have been our top priority.

As the infrastructure that powers thousands of apps with millions of subscriptions, we provide a critical service for app developers. With this massive amount of information flowing into our systems, we know we need to do the utmost to ensure our customers’ data is safe with us – and we take this responsibility very seriously.

Why did we get SOC 2 certified?

We completed our SOC 2 audit because we’re committed to adhering to the highest security standards for enterprise customers and indie developers alike. We know our customers have their choice of vendors. Being audited by an external firm provides additional validation that we’re following the right policies and that we’re trustworthy partners for our customers.

Type I vs. Type II

SOC 2 Type I is a snapshot where the external auditor evaluates your organization for a specific moment. With Type II the auditor ensures that your organization complies with all the policies for an extended period (typically several months), without any policy exceptions.

Although we knew that going for Type II certification would take longer, we wanted to make sure that this wasn’t a one-off project but a long-term commitment for RevenueCat.

The auditing process

Luckily, we already had a lot of the necessary processes and best practices in place (like code reviews, our bug bounty program, and background checks), which made the process much smoother. We were also in the process of revamping a few company policies, such as cryptography, access control, third-party management, security development, code of conduct, and asset management.

As CTO, I kickstarted the project, but ultimately, this was a team effort. Every single RevenueCat employee played a role in getting our SOC 2 certification.

Inside our SOC 2 certification process

Our People, Operations, and Engineering teams worked on revamping our policies in:

• Access control
• Code of conduct
• Asset management
• Cryptography
• Data management
• Incident response plan
• Information security policy
• Risk management
• Secure development policy

At the same time, our Engineering team worked on:

• Accounts, password policies, and multi-factor authentication
• Logging, alerts, vulnerability tracking, and backup policies
• Bug bounty programs
• Secure development practices
• Inventory management
• Defining SLAs

We reviewed our onboarding policies, training, and background check requirements, then assessed all the risks associated with our external vendors by asking them for their SOC 2 reports.

Next, we asked our teammates to review the policies, complete any pending training, and clear action items concerning encryption, password strength, and so forth.

Once that part of the process was complete, we were ready to talk to our auditors. After the X-month auditing process, we finally received our report.

What tooling and partners did we work with and why?

We chose to work with Vanta because they monitored our infrastructure, onboarding, and offboarding of employees and made the entire process easier – both for our company and the auditors.

Plus, Vanta connects directly with the tools that we use (AWS, Slack, Github, and Shortcut), and they let us know if there’s anything we need to take care of immediately, without breaking any service-level agreements.

They’re also a fellow Y Combinator company, and were recommended to us by a handful of other startup founders that tried to get SOC 2 unsuccessfully until they discovered Vanta. They were extremely responsive and supportive every step of the way – from ensuring we had a dedicated person to work with, helping us choose the auditor, coming up with a roadmap, and prioritizing tasks and providing templates.

Things we learned that might help other companies get through their SOC 2

Any company that wants to get SOC 2 certified should start early – ideally when your team is still small (20-40 people). You might think that only larger companies need to become SOC 2 compliant, but the earlier you do it, the better.

If you’re looking for someone to guide you through the process, we highly recommend Vanta. They drastically reduced the complexity and time commitment of the entire process. And if you think about it, all the new policies and procedures that you enforce will become a part of your company’s DNA. It’s essential to get it right the first time around.  

You should also keep your team updated about the progress and milestones you’ve achieved during the auditing process. While timelines might slip, given that you’re a startup and priorities change, it’s vital to have a solid roadmap and cadence.

The way forward

Completing the audit process is a huge milestone, but it’s only one piece of the puzzle. Going through SOC 2 doesn’t automatically make your company’s security bulletproof, but it does help enforce good practices that you’ll take with you as your company grows.  ‍

From here, we’re prioritizing being proactive with the measures that we’ve already taken and putting continuous effort into building the most secure organization we can.