Company NewsLaw & Policy

Rippling Achieves “Gold Standard” SOC 2 Type II Security Certification

Alberto MartinezOct 1, 2020

Rippling is still a young company, but we’re serious about security. We’re pleased to announce that we’re now SOC 2 Type II certified, widely considered the gold standard of a company’s ability to handle and secure confidential data. Rippling achieved SOC 2 Type I compliance in 2018.

What’s SOC 2?

SOC 2 is a set of security standards created by the American Institute of Certified Public Accounts (AICPA) specifically for tech companies with online systems that store confidential information. SOC 2 requires that companies establish and follow strict information security policies and procedures. Like a financial audit, a SOC 2 assessment is performed by an independent auditor who produces a detailed final report. 

What hoops did you have to jump through?

The rigorous process to receive SOC 2 Type II certification takes many months because it evaluates a company’s data controls over an extended period of time. It’s a deep dive not only into your technology, but your people, policy, and processes. For each of the security criteria Rippling was evaluated against over the course of the audit, no exceptions in the controls were noted.

As a platform that centralizes sensitive employee information, we wanted to give our customers peace of mind that we follow the most stringent data safeguards.

But we had another motive: To discover how we could use our own product to simplify the process.

After all, Rippling is an always up-to-date source of truth for all your employee data, and many of the internal controls SOC 2 requires involve HR and IT. So we used this opportunity to be the guinea pig and test how useful Rippling actually is for this use case. 

How Rippling simplifies SOC 2 compliance 

We were thrilled to find that Rippling takes a lot of the pain out of the SOC 2 process by automating data collection and policy compliance in many instances. Having a unified employee system-of-record made it much easier to demonstrate compliance with security controls. 

For example, companies may want to show that when an employee is terminated, all of their access to company systems is also terminated immediately. This is an important security safeguard, yet one study found 89% of former employees retain access to at least one of their former employer’s systems after they leave. 

Fortunately, Rippling not only tracks dates of employment as well as what tools workers had access to, it automatically disables employee access to all software when they’re terminated – and allows admins to remotely wipe their laptops. Our Custom Reports tool makes it easy to document that this protocol was followed in just a few clicks. 

Onboarding, offboarding, app provisioning, employee device inventory and device configuration are all processes that can be automated through Rippling to ensure compliance with SOC 2 standards. Our product provides real-time information on the hardware and software used by your workforce, as well as visibility into any threats detected by our endpoint security partner. 

In short, we used Rippling both to enforce SOC 2 standards internally and provide evidence of our compliance to auditors.

Here are some of the ways we used Rippling during SOC 2:

HR 

  • Automate employee account creation and deletion in our onboarding and offboarding procedures
  • Automate background checks as part of the hiring flow
  • Rippling reports automated evidence collection for new hire population, terminated employee population, account creation/deletion dates, and more

Security and provisioning

  • Enforce a strong password policy and 2FA settings within Rippling 
  • Used Rippling SSO/SAML to securely access all critical third-party applications and infrastructure

Hardware

  • Provide an up-to-date inventory of all employee laptops including information on hardware, OS, antivirus software, and status of security patches

The SOC 2 process was a great learning experience for us. Now that we know what our product can do, we’re eager to support customers going through their own security certification audits.

Ultimately, we want Rippling to enable one-click SOC 2 compliance.

Imagine simply clicking “SOC 2 configuration” in the product and we’d automatically enforce all the relevant security standards for your employees — and instantly generate pre-baked SOC 2 reports so the evidence is at your fingertips. That’s the vision we’re working towards.

To receive Rippling’s SOC 2 Type II Compliance report, please contact sales@rippling.com.

SOC 2 Step-by-step

Step 1: Scoping and readiness assessmentAt least two months before initiating a SOC2 audit, companies must familiarize themselves with its framework, review and update their policies and procedures, and find out what issues they need to fix before the audit.  
Step 2: Evaluation periodThe formal evaluation period typically covers six months the first time, and allows the auditor to answer the question: Did the security controls that were in place during this window of time operate effectively? 
Step 3: Evidence collection and testingAt the end of the review period, you’ll need to organize documents and evidence for your auditors. SOC 2 compliance requires A LOT of documentation. Fortunately, evidence collection is highly automated through Rippling. 
Step 4: Receive reportA few weeks after the end of your formal evaluation period, which may include an on-site audit, your company will receive the auditor’s final report. 
Step 5: Annual refresh SOC 2 Type 2 compliance isn’t a “one and done” achievement. To maintain certification, companies must repeat the process annually. 

Alberto Martinez is Lead Security Engineer at Rippling.

Related Posts

View All Posts

Company News

Rippling Announces $145M in Series B Funding

Prasanna and I started Rippling four years ago because we felt we’d discovered a secret hidden in plain sight. We’d both previously led startups that drowned in back office …

Parker ConradAug 4, 2020

Company News

Rippling Featured in Forbes Next Billion-Dollar Startups List

Our moms will be so proud! Forbes and Fast Company both featured Rippling in their lists of future unicorns. It was an exciting day at Rippling when Forbes named …

The Rippling TeamJun 25, 2020

Company NewsProduct News

Announcing Rippling for Benefits Brokers

Today, we’re opening Rippling (and our benefits administration software) to every employee benefits broker in the country, so they can go head-to-head against digital brokers — and win. For …

Jesse HernandezSep 17, 2019