Rippling achieves “gold standard” SOC 2 type II security certification

Published

Oct 1, 2020

Rippling is still a young company, but we’re serious about security. We’re pleased to announce that we’re now SOC 2 Type II certified, widely considered the gold standard of a company’s ability to handle and secure confidential data. Rippling achieved SOC 2 Type I compliance in 2018.

What’s SOC 2?

SOC 2 is a set of security standards created by the American Institute of Certified Public Accounts (AICPA) specifically for tech companies with online systems that store confidential information. SOC 2 requires that companies establish and follow strict information security policies and procedures. Like a financial audit, a SOC 2 assessment is performed by an independent auditor who produces a detailed final report.

What hoops did you have to jump through?

The rigorous process to receive SOC 2 Type II certification takes many months because it evaluates a company’s data controls over an extended period of time. It’s a deep dive not only into your technology, but into your people, policy, and processes. For each of the security criteria Rippling was evaluated against over the course of the audit, no exceptions in the controls were noted.

But we had another motive: To discover how we could use our own product to simplify the process.

After all, Rippling is an always-up-to-date source of truth for all your employee data, and many of the internal controls SOC 2 requires involve HR and IT. So we used this opportunity to be the guinea pig and test how useful Rippling actually is for this use case.

How Rippling simplifies SOC 2 compliance 

We were thrilled to find that Rippling takes a lot of the pain out of the SOC 2 process by automating data collection and policy compliance in many instances. Having a unified employee system of record made it much easier to demonstrate compliance with security controls.

For example, companies may want to show that when an employee is terminated, all of their access to company systems is also terminated immediately. This is an important security safeguard, yet one study found 89% of former employees retain access to at least one of their former employer’s systems after they leave.

Fortunately, Rippling not only tracks dates of employment as well as what tools workers had access to - it automatically disables employee access to all software when they’re terminated and allows admins to remotely wipe their laptops. Our Custom Reports tool makes it easy to document that this protocol was followed in just a few clicks.

Onboarding, offboarding, app provisioning, and employee device management, inventory, and configuration are all processes that can be automated through Rippling to ensure compliance with SOC 2 standards. Our product provides real-time information on the hardware and software used by your workforce, as well as visibility into any threats detected by our endpoint security partner.

In short, we used Rippling both to enforce SOC 2 standards internally and to provide evidence of our compliance to auditors.

Here are some of the ways we used Rippling during SOC 2:

HR

  • Automated employee account creation and deletion in our onboarding and offboarding procedures
  • Automated background checks as part of the hiring flow
  • Automated evidence collection for new hire population, terminated employee population, account creation/deletion dates, and more

Security and provisioning

  • Enforced a strong password policy and 2FA settings within Rippling
  • Used Rippling SSO/SAML to securely access all critical third-party applications and infrastructure

Hardware

  • Provided an up-to-date inventory of all employee laptops, including information on hardware, OS, antivirus software, and status of security patches

The SOC 2 process was a great learning experience for us. Now that we know what our product can do, we’re eager to support customers going through their own security certification audits.

Ultimately, we want Rippling to enable one-click SOC 2 compliance.

Imagine simply clicking “SOC 2 configuration” in the product and we’d automatically enforce all the relevant security standards for your employees — and instantly generate pre-baked SOC 2 reports so the evidence is at your fingertips. That’s the vision we’re working towards.

To receive Rippling’s SOC 2 Type II Compliance report, please contact support@rippling.com.

SOC 2 Step-by-step

Step 1: Scoping and readiness assessmentAt least two months before initiating a SOC 2 audit, companies must familiarize themselves with its framework, review and update their policies and procedures, and find out what issues they need to fix before the audit.
Step 2: Evaluation periodThe formal evaluation period typically covers six months the first time, and allows the auditor to answer the question: Did the security controls that were in place during this window of time operate effectively?
Step 3: Evidence collection and testingAt the end of the review period, you’ll need to organize documents and evidence for your auditors. SOC 2 compliance requires A LOT of documentation. Fortunately, evidence collection is highly automated through Rippling.
Step 4: Receive reportA few weeks after the end of your formal evaluation period, which may include an on-site audit, your company will receive the auditor’s final report.
Step 5: Annual refresh SOC 2 Type 2 compliance isn’t a “one and done” achievement. To maintain certification, companies must repeat the process annually.
last edited: March 26, 2024

The Author

Alberto Martinez

Lead Security Engineer