SOC Compliance

Overview

CellarStone Inc, a leading provider of sales commission solutions, and PaaS platform experts, is now SOC 1® & SOC 2® compliant.

We now have indisputable evidence about our claims regarding customer data security, confidentiality, and processing integrity with our being SOC 1 & SOC 2 compliant. Customers, prospects, and partners always need an assurance that their data is being handled by an organization they can trust. SOC 1 & SOC 2  compliance reports give that kind of assurance as they are supported by proven regulations and standards (AICPA) and conducted by an independent, unbiased 3rd party auditor.

With almost all organizations now online, data security has rapidly become everyone’s top priority. The ability to show strong controls around security, confidentiality, and processing integrity demonstrates a strict adherence to security as per standards backed up by AICPA and our willingness to invest time and money to prove it. SOC reports focus on the security design and operating effectiveness of CellarStone’s policies, procedures, and controls.

An SOC audit acts as a demonstration of an organization’s understanding and commitment to financial and security controls.

These reports are periodically issued by independent, unbiased 3rd party auditors.

About SOC

SOC stands for “Service and Organization Controls”. SOC is a set of standards that allow service organizations to demonstrate that they are managing their customers’ data properly. SOC series of audits and reports are designed and introduced by the American Institute of Certified Public Accountants (AICPA).

It reports on the controls service organizations use to protect, process, and store client data.

SOC compliance nets out in a variety of reports depending on requirements.

SOC 1 is best for organizations that handle their customers’ financial data. This can be used to comply with the Sarbanes-Oxley Act and other similar regulations. This type of report can only be given to the management of the service organization, user entities and their auditors.

SOC 2, on the other hand, is more rigorous in that it focuses on how customer data is stored and protected. To simplify, it is more security-focused compared to SOC 1. A copy of the SOC 2 report can also be given to prospects, existing clients, business partners, auditors, and regulators to provide them with an insight of the organization’s internal controls upon signing a non-disclosure agreement.

This report is an assessment of an organization’s controls as they relate to the AICPA’s (American Institute of Certified Public Accountants) five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

• Security: Focuses on both physical and system security. It examines whether business premises and systems are protected from unauthorized access and if there are controls in place that will alert the organization in the event of suspicious activity.
• Availability: Ensures customers can access their systems as outlined in their contractual agreements.
• Processing Integrity: Ensures that system processing is complete, valid, accurate, timely, and
• Confidentiality: Audits whether an organization has restrictions in place on how data is shared, accessed, stored, and transferred.
• Privacy: How an organization collects and uses customer information and assesses whether the privacy policy in place aligns with operational procedures.

Type 1 vs. Type 2 Report

The Type 1 Report checks to see if an organization’s systems and controls are properly designed and implemented at a specific point in time.

Type 2, on the other hand, attests that an organization’s systems and controls are operating effectively over a minimum 6 months period. 

SOC Scope

As SOC auditing can be tailored to the organization requirements, CellarStone selected SOC 1 Type 2 and SOC 2 Type 2 auditing for their business needs.

This is because Type 2 focuses more on operating effectiveness rather than design and also covers a period of time rather than a specific time.         

Out of the five Trust Service Criteria, Security, Processing Integrity, and Confidentiality were chosen for the audit. This is because CellarStone already partners with Worldclass Data Center Providers and their availability is our availability. We can provide our data centers’ SOC 2 report for the Availability trust service criteria.

We also chose not to be audited for the Privacy trust service criteria since CellarStone is already GDPR compliant – most of the criteria for privacy are the same for GDPR and SOC. For Privacy-related trust service criteria, we can provide our GDPR compliance report.

Importance and Benefits of SOC Compliance

CellarStone invested time and money in becoming SOC compliant, but it is very important to understand and promote what benefits it provides to our customers and how important it is. 

Importance 

• As CellarStone stores the customer data in the cloud, the SOC 2 audit minimizes risk and prevents the data from being exposed. The five trust service criteria are important in establishing customer /prospect trust and ensuring the right practices, policies, and procedures are in place and in line with data protection regulations.
• An SOC audit helps us to deploy well-defined, ongoing policies, procedures, and practices. This builds trust in customers and end users that we are secure and operate cloud infrastructure that can keep their data safe.
• An SOC review ensures that we have detailed audit trails that provide deep context and enable them to conduct effective security operations. It also puts organizations in a position to effectively discover malicious, suspicious, or unauthorized activity across their networks, processes, and systems, by establishing a continuous security monitoring service.

Benefits  

• Controls are already audited

Many of our customers don’t have a full IT security team to investigate and audit all controls, primarily because it involves lot of time and money. Because of this, CellarStone has invested heavily on this audit to ensure our customers that controls are placed properly. Auditors inspect the controls, interview the responsible personnel, and test the controls to check whether controls are meeting the stringent security standards.

• Controls are properly and securely designed

We give utmost care to our customers’ data. The controls are designed in such a way that data is always secured, available, and monitored as per the guidelines, standards, and regulations specified by AICPA. The physical security, data servers’ security, hiring process, business continuity plans, off-site backups (region specific), load balancing, vendor management, audit logs are designed to provide high security, availability, and monitoring of the data.

• Controls are properly and securely developed & operating as designed

The controls are developed to operate effectively all the time. The reports are covered for a period of time and ensures that the controls are developed to prove that the controls perform well over longer stretch of time.

CellarStone SOC report

After completing the SOC compliance audit, CellarStone received a report which verifies that the auditors did everything required towards minimizing security risks. The report contains the following sections.

Independent Auditor’s Report: Explains the scope, auditor’s responsibilities, CellarStone’s responsibilities, description of test controls, and their opinion.

Assertion Statement from CellarStone Management: Explains CellarStone’s security controls regarding the first trust service criteria, sub service organization scope & complimentary user entity controls.

System Overview: Provides an overview of Cellarstone, QCommission software, system requirements, & sub service organization details.

Relevant Aspects of Control Report: Outlines CellarStone’s internal controls, analyzes how the security, processing integrity, & confidentiality risk assessment was conducted, how the control environment, new hires and terminations, risk assessment, monitoring activities, control activities, system operations, business communications, customer setup, change management & confidentiality controls are operating. Tested whether operating as per the design and provided best recommended approaches.

Complimentary Subservice Organization Controls Report: Outlines the scope of CellarStone’s internal controls and controls expected to be implemented at subservice organizations. These controls must be evaluated in conjunction with CellarStone’s controls.

Complimentary User Entity Controls Report: Outlines the controls to be implemented at each end user entity. These controls must be evaluated in conjunction with CellarStone’s Controls.

Test of Controls and Results Report: Analyzes the performance of control, inspects the evidences, inquiries & interviews, management and relevant personnel, and outlines whether auditor deemed them effective enough to meet trust service criteria principles recommended by AICPA.

SOC Requirement and Controls Report: Outlines the SOC requirements and references as per AICPA standards.

Conclusion

With SOC 1 TYPE 2 and SOC 2 TYPE 2, GDPR report, our partners’ SOC 2 reports, CellarStone is therefore confident in that we are able to meet all the 5 trust services criteria outlined by the AICPA. We are committed to providing best in class and secured data services to our customers.

Note: A copy of this report is available for all CellarStone’s QCommission active customers as well as for partners and prospects who are interested in QCommission and have signed a non-disclosure agreement.