Rippling is still a young company, but we’re serious about security. We’re pleased to announce that we’re now SOC 2 Type II certified, widely considered the gold standard of a company’s ability to handle and secure confidential data. Rippling achieved SOC 2 Type I compliance in 2018.
What’s SOC 2?
SOC 2 is a set of security standards created by the American Institute of Certified Public Accounts (AICPA) specifically for tech companies with online systems that store confidential information. SOC 2 requires that companies establish and follow strict information security policies and procedures. Like a financial audit, a SOC 2 assessment is performed by an independent auditor who produces a detailed final report.
What hoops did you have to jump through?
The rigorous process to receive SOC 2 Type II certification takes many months because it evaluates a company’s data controls over an extended period of time. It’s a deep dive not only into your technology, but your people, policy, and processes. For each of the security criteria Rippling was evaluated against over the course of the audit, no exceptions in the controls were noted.
As a platform that centralizes sensitive employee information, we wanted to give our customers peace of mind that we follow the most stringent data safeguards.
But we had another motive: To discover how we could use our own product to simplify the process.
After all, Rippling is an always up-to-date source of truth for all your employee data, and many of the internal controls SOC 2 requires involve HR and IT. So we used this opportunity to be the guinea pig and test how useful Rippling actually is for this use case.
How Rippling simplifies SOC 2 compliance
We were thrilled to find that Rippling takes a lot of the pain out of the SOC 2 process by automating data collection and policy compliance in many instances. Having a unified employee system-of-record made it much easier to demonstrate compliance with security controls.
For example, companies may want to show that when an employee is terminated, all of their access to company systems is also terminated immediately. This is an important security safeguard, yet one study found 89% of former employees retain access to at least one of their former employer’s systems after they leave.
Fortunately, Rippling not only tracks dates of employment as well as what tools workers had access to, it automatically disables employee access to all software when they’re terminated – and allows admins to remotely wipe their laptops. Our Custom Reports tool makes it easy to document that this protocol was followed in just a few clicks.
Onboarding, offboarding, app provisioning, employee device inventory and device configuration are all processes that can be automated through Rippling to ensure compliance with SOC 2 standards. Our product provides real-time information on the hardware and software used by your workforce, as well as visibility into any threats detected by our endpoint security partner.
In short, we used Rippling both to enforce SOC 2 standards internally and provide evidence of our compliance to auditors.
Here are some of the ways we used Rippling during SOC 2:
- Automate employee account creation and deletion in our onboarding and offboarding procedures
- Automate background checks as part of the hiring flow
- Rippling reports automated evidence collection for new hire population, terminated employee population, account creation/deletion dates, and more
Security and provisioning
- Enforce a strong password policy and 2FA settings within Rippling
- Used Rippling SSO/SAML to securely access all critical third-party applications and infrastructure
- Provide an up-to-date inventory of all employee laptops including information on hardware, OS, antivirus software, and status of security patches
The SOC 2 process was a great learning experience for us. Now that we know what our product can do, we’re eager to support customers going through their own security certification audits.
Ultimately, we want Rippling to enable one-click SOC 2 compliance.
Imagine simply clicking “SOC 2 configuration” in the product and we’d automatically enforce all the relevant security standards for your employees — and instantly generate pre-baked SOC 2 reports so the evidence is at your fingertips. That’s the vision we’re working towards.
To receive Rippling’s SOC 2 Type II Compliance report, please contact email@example.com.
SOC 2 Step-by-step
|Step 1: Scoping and readiness assessment||At least two months before initiating a SOC2 audit, companies must familiarize themselves with its framework, review and update their policies and procedures, and find out what issues they need to fix before the audit.|
|Step 2: Evaluation period||The formal evaluation period typically covers six months the first time, and allows the auditor to answer the question: Did the security controls that were in place during this window of time operate effectively?|
|Step 3: Evidence collection and testing||At the end of the review period, you’ll need to organize documents and evidence for your auditors. SOC 2 compliance requires A LOT of documentation. Fortunately, evidence collection is highly automated through Rippling.|
|Step 4: Receive report||A few weeks after the end of your formal evaluation period, which may include an on-site audit, your company will receive the auditor’s final report.|
|Step 5: Annual refresh||SOC 2 Type 2 compliance isn’t a “one and done” achievement. To maintain certification, companies must repeat the process annually.|
Alberto Martinez is Lead Security Engineer at Rippling.