FOSSA is committed to helping enterprises reduce risk at every stage of the software development lifecycle. This mission extends not only to our vulnerability management and license compliance products, but also to the way we secure company and customer data.

Today, we’re pleased to share a significant milestone in our work to achieve the highest standards of security. We have passed our SOC 2 audit and received our SOC 2 Type 2 report, which is powerful affirmation of the safeguards we’ve put in place to keep company and customer data safe.

We know that organizations across the globe rely on FOSSA to help facilitate secure and seamless software development, and SOC 2 compliance demonstrates our continued commitment to delivering best-in-class, enterprise-ready solutions.

What Is SOC 2 Compliance?

SOC (Systems and Operational Controls) 2 was developed by the American Institute of CPAs (AICPA), the world’s largest member association representing the accounting profession. It applies a set of standards to measure a range of non-financial reporting controls: security, availability, privacy, confidentiality, and process integrity. Collectively, these are referred to as Trust Services Criteria (TSC).

Although they share similar names and are produced by AICPA, SOC 2 is actually quite different from SOC 1 and SOC.

  • SOC 1 addresses controls around financial reporting
  • SOC 2 examines controls around one (or more) of the five aforementioned Trust Services Criteria (TSC)
  • SOC 3 also covers the TSC, but the report is much less comprehensive than SOC 2

What FOSSA’s SOC 2 Report Covers

FOSSA’s SOC 2 audit examined the security controls we’ve put in place to safeguard customer and company data. The audit put FOSSA’s controls to the test across six key categories:

  • Risk Assessment and Mitigation
  • Monitoring Activities
  • Control Activities and Environment
  • Logical and Physical Access Control
  • System Operations
  • Change Management

A thorough review of 74 individual security controls across those categories confirmed FOSSA’s compliance with SOC 2 security standards.  

It’s also important to note that FOSSA’s SOC 2 audit produced a Type 2 report (as opposed to a Type 1 report). Although both Type 1 and Type 2 reports document an organization’s description of controls related to the Trust Services Criteria, Type 2 reports go a step further. They also include a section that assesses the efficacy of those controls. Consequently, SOC 2 Type 2 reports are more comprehensive and provide stronger insight into how an organization has actually implemented controls, which is why FOSSA went the Type 2 route.

What SOC 2 Compliance Means for Our Customers

There are a few main reasons why we pursued a SOC 2 audit. First and foremost, compliance is more evidence of the fact that we at FOSSA take the security and privacy of customer data extremely seriously and that the safeguards we’ve implemented are working as intended.

Additionally, companies looking to get started with FOSSA may seek external validation to assess our security processes (especially a SaaS organization). SOC 2 compliance demonstrates that we’ve established processes to facilitate safe handling of data from our very first engagement with a prospective user.