![SOC 2 Compliance – Can it be done in 6 weeks? [webinar]](https://arpio.io/wp-content/uploads/2021/08/SOC-2-Compliance-For-SaaS-Companies-How-Hard-Is-It.png)
Doug Neumann
Thanks for joining us today, everyone. We’re excited to tell you about some SOC 2 stuff. This webinar is going to be my journey, Arpio’s journey, pursuing SOC 2 in collaboration with Laika. I think we’re taking a pretty conversational approach. I want to encourage you guys to go ahead and ask questions as you have them and shoot them in the chat. We can answer those in real-time.
Meanwhile, Sim, who I’ll introduce in just a second, or she’ll introduce herself, she and I will tell you what it has been like thus far and where we are on the SOC 2 process. Just to dive in, let me tell you guys, I’ve met some of you in person before, some of you have not, but my name is Doug. I’m one of the founders of a company called Arpio. We’ll talk about what Arpio does in a bit, but we’re a SAS business, and we are in the process of doing SOC 2, which is what we’re going to talk about here.
I come to this from the perspective of an engineer. I’ve been a cloud engineer for a little more than a decade, managing software teams, and Arpio is the first time I’ve started a company and the first time I’ve had to do SOC 2 directly, although companies I’ve been at before have done the process before. And that’s a bit of me. We can dive in more on that later, but Sim, who are you?
Simrat Singh
Hi, I have been working at Laika for the past few months. I have four years of experience from KPMG doing security, risk, and compliance. I’ve been here really helping you guide you through your compliance program, which helped build Arpio’s SOC 2 compliance program.
Doug Neumann
Yeah. You’re our compliance architects then, right? Is that the official term?
Simrat Singh
Compliance architect? So I just guide you by making sure that your policies are making sense, that you’re implementing the right controls, your best practices, and building up that foster so that your customers can trust you and that you are SOC 2 compliant.
Doug Neumann
Fantastic. Awesome. Well, let me just dive in to get started. I think it’s kind of relevant for everybody who’s in attendance, just to explain why we chose to do SOC 2 at Arpio. And, I’ll be honest, our business is still relatively young, but we’ve been in the market for a couple of years, but something happened for us about three or four months ago, where conversations that used to say, do you happen to have a certification like SOC 2 suddenly became we won’t work with you until you do have that in place.
Honestly, I don’t know if that’s a change that’s happening in the market if people see that comprehensively if it’s a reflection of where we are as a business, and we just happened to be working with organizations that are more formal in what their expectations are of their vendors, but it really, it makes sense.
So, Arpio is a solution for disaster recovery of Amazon Web Services (AWS) environments. Our customers use us oftentimes because they’re trying to be compliant with their own regimes that are appropriate for their business, but it’s not fair for us to not also step up to that same compliance bar as they’re doing. If we’re going to help our customers be highly available and resilient to catastrophic events that happen in the cloud, we also need to be highly available and very much resilient to those same things. For us, Sim, it was really a customer-driven thing that’s based on what our business does, I think, but also based on trends in the market.
Simrat Singh
Yeah. I’m really glad that you mentioned that. I imagine that the people on this chat also recognize that, and more as we head towards the future, customers realize how important their data is. They’re going to ask the companies that are processing their data, are you doing the right things to protect it? Are you putting in the right security practices? At this point, data is knowledge, knowledge is power. I mean, data’s becoming more important than money at this point. Customers have the right to ask the people who are really processing this to ensure they’re doing their due diligence. I’m really excited to see that you’re really taking it on. You’re excited about it. We’re doing this webinar just to showcase the importance of this and why we really need to be excited about this. We want to serve our customers, and we want to serve our people, and we want to make sure that we’re establishing that trust. So, yeah, I’m glad that they’re demanding this.
Doug Neumann
It’s funny. You used the word excited cause who really gets excited about compliance. But, I’ll tell you, we’re excited about this. This is a meaningful inflection point for our business. We’ve been excited about working with you guys to do this. I think as we’ll talk in a little bit, we thought compliance was going to be extremely difficult for us to attain, and it’s been surprisingly doable as we go through this. We’ll give a little more detail in a couple of slides. Tell us first about SOC 2 for people who don’t know what this is all about. What is this all about?
Simrat Singh
SOC 2 is a regulatory framework that was actually created by a group of accountants from the ICPA. It’s really a framework that drives to show trust. Like I mentioned to your customers, you’re doing the right things to protect their information from an internal and external standpoint. There are two types of tests that we do. There’s a type 1 and a type 2. If you hit the next space bar again and one more time, great. There’s a type 1 and a type 2. Type 1, tests a point in time. What’ll happen is an auditor will come in and make sure that on Tuesday at 1:00 PM, your security controls and all your evidence is working as it should be at this moment. We’ll do a point-in-time analysis. That’ll be your type 1, your type 2 will test the effectiveness of your controls over a longer period of time.
We know that security is not just a one-and-done thing. You can’t just implement one control and then be done with it and walk away. You have to make sure you’re monitoring it. You have to make sure that it’s continuously happening. In a type 2 audit, we’ll make sure that your controls are effective over that six to 12 month period. You’ll want to make sure that you do your audits every year to make sure that you’re up to date, and customers can really rely on the fact that you’re continuously doing what you’re supposed to do over that longer period of time. That’s really overall what SOC 2 does.
Doug Neumann
Okay, so type 1, this is my layman’s version of what you just said. Type 1 is, do you have the practices in your business that would allow you to be compliant type 2 is have you over a period of time been executing those practices faithfully so that you are truly compliant. I’ll be honest, our customers are asking us about type 2. So, type 1 is what we are still in the late stages of achieving. Once we have type 1, that’s just the beginning of this compliance journey for us. We have to exercise those practices, follow those policies and prove to the auditors six months out that we’ve done that for the past six months so that they will grant us type 2. If I recall correctly, we have to get rerouted every 12 months.
Simrat Singh
Every year.
Doug Neumann
Is this because it gives us a document that says, we’ve certified that you’re compliant, and this document expires in 12 months?
Simrat Singh
Pretty much, but also, there’s so much change that can happen within that year. You might hire new people, you might integrate your processes, you might do a new service opportunity. Every year as you grow, you want to make sure that as you scale, you’re doing the right things as your business grows. That’s also a big purpose of being able to monitor that audit every year.
Doug Neumann
Okay, great. Here’s a question that we didn’t prepare for, but I’ve always wondered. I think of this as largely an IT framework, largely around security. Why is it invented by accountants?
Simrat Singh
By accountants? I want to say because accountants like audits is a very like black and white experience, you either are passing it or you’re not. I think for that reason, SOC provides that really nice first step of a security program. Like ISO is not created by auditors. That’s a very security focused technical focus framework. It’s kind of a lot for just a regular business or small business to kind of tackle on the first thing. A SOC 2 kind of is a nicer, easier first step. That kind of makes it really clear that this is what you need to be doing, and this is what you should not be doing. That’s my guess on maybe why it was created by accountants, but it’s easy enough for people to digest, but it’s not totally inclusive enough for it to truly be created by true security professionals.
Doug Neumann
Yeah. Sorry for the curveball there. I should’ve warned you, I suppose, but anyway, all right. Coming into this, I had a preconceived notion, and this will probably shed light on that whole auditor thing or whatever. SOC 2 was going to be about security consultants charging us loads of money so that they can deep dive into our application, look at our architectures, read certain source code that felt like it was security-relevant, do all kinds of penetration testing to find the vulnerabilities that we need to fix, give us a lot of processes that were going to slow us down, and loads of documentation as part of that focused wholly on hacking and eliminating the chances that a bad actor can get into our environment and steal our data, do bad things to our service, and ultimately jeopardize our customer’s data that we’re the stewards of.
So that was what I thought. I think ultimately what I’ve found is that it’s not security experts, it’s compliance experts. This is where the accountant thing I think comes in is that it’s people who understand both, some element of the security exposure, but also the legal perspectives on these problems, the risk perspectives on these problems, how it is that you put together a program that documents what you’re going to do, and then how you support that with checks and balances in your business to make sure that you’re following it appropriately.
Simrat Singh
Definitely. That’s a great take, actually.
Doug Neumann
It is very much about the conversation. That’s the conversation that we’re having as an organization about what we want to be doing to be compliant, and making sure that we are aligning our operations with various best practices. Those best practices are things that we, I think we’ve already known about. Most of the, for the most part, were already doing inconsistently within the organization, and what this has done is really pushed us to execute them more formally and more consistently through our operations.
Simrat Singh
Like, organize your best practices.
Doug Neumann
Yeah. I mean, I think the last thing is we found it was not nearly as expensive as I thought it was going to be. I’ve heard numbers from other companies about what they’ve paid to get fully compliant. There are six figures involved in many of those numbers, and that’s not been our experience. And we’re a small organization. We don’t have to deal with things like, how do you get a thousand people trained on security best practices, but for us, it’s been. I think both because of the tooling that Laika has been able to provide for us and just the integration of all of the various services, or very little have we had to spend beyond what we’re spending, with the Laika service.
There’s this concept in SOC 2 called trust services criteria. What are TSCs?
Simrat Singh
This kind of serves the foundation of your entire SOC 2 report. At a high level, there are five trust services criteria that your SOC 2 kind of encompasses or can encompass: security, confidentiality, availability, processing, integrity, privacy. So, a baseline at a minimum, you always need to have security criteria in place. We generally suggest we always start with security. It’s a more holistic approach to integrating these controls. On the right-hand side, you’ll see a list of areas that are common throughout the five trust services criteria. For you, we really scoped insecurity, confidentiality, and availability since you’re heavily focused on business continuity and disaster recovery, and availability really plays a key component in that. How available is your data? Are you doing your data backups? Are you monitoring your data repository? How accessible is it that’s such an impact on your business? And that was a reason why we scoped that trust service criteria for you guys.
Doug Neumann
Yeah, certainly. I mean, I think our customers are always concerned about the security profile of our workload. We connect to their AWS environments, and we orchestrate the DR process within that. We’ve engineered the products to be extremely secure, but we have to be able to prove that to customers about how that works. So, the security TSC is just essential to support the statements that we make to our customers about that. To the point you’re making, like, our product is all about availability when Amazon is not available. We’ve engineered solutions to these problems, but how do we get a third party to come in and say, yep, they’ve got five layers of defense against that. And layer one itself is rock solid. Layer two, three, four, and five, if they ever need them move there. But, hopefully, we never have to move to DefCon 2.
Simrat Singh
No, but these are really great points. This is why we have a compliance part detect team at Laika because security is not a one-size-fits-all. If we were to just be a SAS product and give you kind of the solution, and we’re like, Hey, implement it as you will. And you don’t really get that guidance. You don’t really get that conversation of, well, what if this happens? Or what if this happens? What if we layer this control? What if we change it up so that we’re doing a different dimension of these controls? That’s a huge part of the dialogue. That’s a huge part of the conversation. As you grow and as you scale, it becomes a strategic conversation. That’s something that we really value here at Laika as being part of that conversation throughout the process, so that as you grow or as you change, and you get these kinds of complicated questions where they’re already to at least guide you through what we think would be the best solution there. But ultimately, the decision is always yours.
Doug Neumann
Yep. Yeah. I think it, yeah, ultimately it is always the business that decides what their requirements truly are. They have to be strong enough that the auditors will agree that they’re sufficient. But, so much of this journey has just been about making sure that we are right-sizing for our organization, what we have to do here. As long as we’re following those practices, the audit is going to be easy.
Simrat Singh
Yes. No, very excited. Doug, tell me about your process, like your journey with Laika.
Doug Neumann
First off, I did the math before the call here. We’re, almost five weeks in, on our Laika journey. The question that we posed with the title of this webinar was, can it be done in six weeks? And we’ll talk more about that later on. But, my recollection is that I went through a sales process. We had decided we were going to do this. We signed the contract with Laika, the next day we were getting the onboarding emails to go sign up. I think it was a weekend. We had an actual onboarding, deep-dive call. We spent a couple of hours with you walking through what our practices are. We demoed our application to you and showed you what it does so that you could put into context the kinds of controls that we need to support that. And I mean, we’re up and running, it seems like within just a few days.
The tool then kind of takes over, and it gives us the workflow to go through. It starts with making sure that you’ve got the right policy in place, and there are ten policies that we need in place. There are ten policies built into the tool that we don’t have to go and figure out how to author one of these. We just need to take the policy that’s there and figure out how to tailor it to what we need. As you do that, then there’s a set of other tasks, and it just walks you through the process of making sure that you have established your compliance program and you’re executing it appropriately. And that you’re gathering evidence. Sometimes that evidence is gathered automatically. Sometimes you actually have to go and do manual stuff and put it into the tool.
The whole idea is that the tool has organized the process and the information needed for us to pass the audit. I don’t know, I look at like nine different bullets here, whatever we are, somewhere in the 5, 6, 7 range currently.
Simrat Singh
Seven range. Yup. We’re almost there. We’re towards the end.
Doug Neumann
Once we get to eight, I think that’s when we are type 1, SOC 2 Type 1, and then we get to do ongoing maintenance forever. I mean, it’s like, we’re signing up to do this forever.
Simrat Singh
I know. I know. We’re going to kick off your risk assessment and do that because we need that for your SOC 2 as well. Just some we’re going to help with this weekend and get there.
Doug Neumann
So, for me coming into this, I did a bunch of research to understand SOC 2. I knew what type 1 was. I knew what type 2 was. I didn’t know anything beyond that. That’s really kind of been the education here. How is it that this is actually enacted? And I have a mental model. You’ll have to tell me if it’s wrong, but it’s really, it starts with policies. We, as an organization, need to have documentation that says this is what we’re going to do as an organization in these ten different areas. It’s things like the information security policy, the compliance and risk management policy, how are we going to do change management and configuration management anywhere? We’ve had processes around these things, but they were a little ad hoc, maybe not always written down, maybe never written down. And now we’ve got them actually captured. Policies are a big part of the SOC 2 process, but the nice thing was we had 10 policies given to us, and we just had to go right-size them.
Simrat Singh
Another part of the policies, and I’m really glad that you brought that up a big component of the audit. Isn’t just the policies and making sure that the policies are in place, but it’s managing the policy, that policy lifecycle, when you’re making edits, are you documenting the history of the older policies? Do you have a sign-off process? Are you publishing those? And so that’s also something that we kind of take care of in our, like a platform is being able to kind of manage that process. And it’s such a tedious process. I don’t think people really realized the idea of actually the policy life cycle management itself is such a big component of the audit experience. That’s something you don’t even have to touch, just given the platform. So, that’s another thing I wanted to highlight with the offerings.
Doug Neumann
Yeah, no, I think it’s going as honestly since you mentioned it’s something that wasn’t first-class knowledge in my head, but it is like we edit the policies in a Google doc style editor built into Laika, it’s like a very rich experience. There’s commenting and iteration, and there’s a history of that stuff. When it’s done, we hit publish, and it’s live. That is just, certainly would be a real pain for us to manage those things directly in Google docs or something like that. So, we’ve spent a good amount of time just making sure that we have the right policies in place for us. It comes down to this concept of controls. I’m going to try to explain what I think policies and controls are. You’re going to give me the compliance architect’s authoritative statement of what it is, but the policy is our document.
You kind of think of it as the management of our company saying, this is the way that we are going to handle these things related to security and privacy and business continuity, all that kind of stuff. The controls are actually the physical steps that we take or the automation software that’s in place that will validate that we are following those policies. And sometimes those are proactive. Like you can’t use the system if you don’t have MFA turned on, sometimes it’s more reactive. You need to go in and take a screenshot of something and load it into the tool so that you have evidence that you followed that. I think, to me, that the meat of the execution is all around the controls. The policies are there, but controls are where we spend our time, and we’ll need to spend our time ongoing.
Simrat Singh
Yeah. It’s really interesting that you kind of bring this up. We’re kind of a melding of the minds because we came in with all the policies, and you, someone who has a background in engineering, have very deep knowledge of the controls that need to be set into place. We’re kind of just merging the two or we’re seeing, how do we get alignment on what it is that the policies are really stating that you’re doing and what it is that you’re informally doing and how do we formalize it? So exactly what you said, the policies kind of formalized that control approach that you’re taking. A lot of the conversation, a lot of the dialogue is adopting these policies so that they fit the controls that you’re putting into place. That’s where it can get really fun because it’s not always a one size fit all. You’re always going to have different kinds of controls, different layers of controls, and that should be adequately and properly reflected in your policies. There’s always that adaptability aspect to it. You’re watching it exactly the way that we.
Doug Neumann
Yeah. Then, we’re executing. It’s these controls, a lot of which is us going and acquiring software or configuring existing software too, that we don’t have to maintain compliance as a burden. It’s just going to be automated for us. For example, Laika is connected to our HR platform. It’s connected to our G suite. It’s connected to our AWS environment, and it can go out and discover places where we aren’t compliant and alert us to that so that we can go and deal with those things. We also had to acquire an endpoint protection system for the organization, no more where it could be like, Hey, did you install an antivirus program on that laptop that we bought you? Now it’s actually measured, and we understand, we have an enterprise wide view and it’s capturing the evidence that we need to be able to satisfy beyond it. We’re doing that as we’re executing, the controls are working in, all of this additional, I say, all of this, it hasn’t been that much, but this software configuration and that kind of stuff, to make sure that we’re compliant there.
Simrat Singh
I think point number three is going to be really impactful for you guys. Once you kind of get into your type 2, because through the integrations, now that we’re pulling in continuous data, you’re not going to need to upload those pieces of evidence. We’re going to be able to continuously monitor the same way the type two is going to be continuously testing. So, I would say that for you guys, you’ve kind of gone through the toughest part. You’ve kind of had to sit down and re like, look at your posture as it exists, figure out what the gaps are, figure out what the Delta is. Now. It’s kind of just the runway. It’s kind of taking off now and monitoring and making sure that you’re just going to continuously do this. So, these four points have been highlighted.
Doug Neumann
Yeah. And, the operationalization of compliance for us, I think the thing that we’re doing that I’m actually excited about is we’re putting a once a quarter compliance day on our calendar. And, I mean, the idea is that we’re small enough. We can get everybody in a room and we can say, okay, we have to run our DR tests, Daniel go run the DR Test. We have to have a meeting of the risk committee to review our risks and understand, identify any additional risks that should be put on there. We have to capture minutes of that meeting. Let’s just get that knocked out in the next 30 minutes. We’ll have this standard agenda that once a quarter, we’ll get together and we’ll execute all of this stuff, and that’s going to be the vast majority of the actual compliance work that isn’t just automated through the software solutions that we’ve got in place.
Simrat Singh
Yeah. It looks like you’ll be enacting an oversight committee charter to make sure that everything is happening and that quarterly, I’m so excited. You guys are doing great.
Doug Neumann
That’s kind of it. I mean, it’s not that complex once you get in and do it. It has not been nearly as burdensome as we feared that it could be. I’m just excited that we are taking this journey, and we are close to graduating at the type 1 level. It’s been great to work with you and Laika.
Simrat Singh
It’s been really great to work with you guys, and I’m really excited to see you grow and ultimately, you’ll take on other frameworks, and we’ll work together to kind of build that up together. And, that’s what we’re really here for. Like right now, we did SOC 2, but just know that we’re your compliance buddy, your support, and as you kind of take on, you new things are going to be there.
Doug Neumann
Yeah. I mean, that’s a great point because, like, SOC 2 is just the first. We need to do the ISO 27,001 that you talked about. The nice thing is that all the controls that are built into Laika actually shows us that, in enacting your SOC 2, you’re actually 80% or X percent of the way to having ISO 27,001 completed, so when it is time for us to do that, I think it’s going to be pretty straightforward.
So, We have an incoming question. Yeah, sure. I’m taking a look at the question. So, have our customer specifically asked to read the SOC 2 report once you have it? They have certainly asked to see the SOC 2 documentation. I don’t have it yet, but it is. I think what they want to see is the type 2 documentation when they ask that the people that care enough to ask for that aren’t going to be satisfied with the type 1. We do anticipate that this is a document that will probably be shared under some non-disclosure type of agreement, but certainly is going to be a customer-facing piece of evidence.
Are there any procedure changes you made because of this that you like? Yeah, so, I think that’s the biggest one. I hate to say I’m excited about Compliance Day, but I am excited about us making this a team event. Compliance isn’t something now that we’ll have somebody working in the wings to deal with, and you’ll be given the training. You need to be satisfied and take care of a deadline, but rather it’s something we’re going to rally the organization around. I think it’s going to be team building. I’ve always been the kind of person that thinks real team building happens while you’re doing the work, not while you’re celebrating the work, and we’ll probably figure out how to celebrate compliance day every quarter. The interesting thing is going to be actually working together on that.
Simrat Singh
I really liked that you brought that up because, just as a side note, the idea of compliance and security has such a deep view of trust and trust is such an important basis of compliance. I liked that this is also a team building activity because internally as you’re discussing these topics, they’re so important. They’re really rooted in trust. You end up kind of trusting the people you’re talking to, and you build that kind of team camaraderie because of the importance of this. So, I’m really glad that’s the lens that you’re looking at. That’s the lens that I look at. It’s a really big value proposition.
Doug Neumann
I saw another question come in: what do we recommend that a SAS company considering SOC 2 do to prepare for this?
Simrat Singh
Okay. A few things, I would start with HR, look into how you’re doing your onboarding, your off-boarding, your access reviews, employee headcount. You want to start making sure you have a very clear, robust process in place for doing any HR processes. From there, from a technical standpoint, the biggest one that I always say is start looking into your endpoints. So mobile devices, computers, laptops, cell phones. How are you managing those? How are you protecting those? So, like Doug mentioned earlier, getting that MDM solution to make sure that all your laptops are encrypted. All of them have USB blocking. All of them Airdrop is turned off. How are you centrally managing all of that? So those would be like the two biggest areas that I would definitely kind of start off with. They tend to be the heaviest areas. Doug, what was your experience?
Doug Neumann
Yeah, I think I would agree with all that. I’d also layer in like the vendor management side of it has been important. I think we’ve benefited tremendously that we have built our solution largely on first-party AWS services. Because of that, we don’t have to go chase down a dozen different vendors to figure out their compliance story. Are they compliant with what we’re saying ours is going to be, and whatnot? And, and just those, I mean, honestly, these things are architectural decisions that you make while you’re building a SAS product. If you have made those decisions without, I guess being intentional about it, you might find that you have things that are difficult to unwind as you go forward. Security practices are the same way. Honestly, if you built a bunch of automation that requires you to manage passwords in an insecure way so that your nightly builds can run, then you’re going to have to do engineering efforts to unwind that kind of stuff.
Luckily, my CTO is a really good engineer. I wouldn’t trust myself to have done all right, but he’s done compliance before. And, we were in pretty good shape when we got started here. I guess the next question I see here is: was it difficult for me to sell this internally? I think the answer was no because I could go and tell my team that this customer asked for it, and this customer asks for it. And, at the end of the day, we’re building a business and the team, even the developers, care about the business results. I have one of the developers on the team whose full-time job right now is to make sure that we are doing the SOC 2 stuff correctly. It’s not a labor of love for him. He’s excited about it being done, but that said, he understands the business needs.
He’s growing and learning through this, this experience he’s not had in his career before. That is certainly helping keep him optimistic on the whole process. So, and somebody asks, are they not annoyed with the procedures? Well, I mean, the secret is to involve them in writing the procedure so that they’re not annoying. Yeah. I mean, a classic example is change management. You can have a really onerous change management process. It says that you have to have all these pre-approvals before you do anything. You have post approvals before you deploy anything and all that kind of stuff. Or you can do what we did and say, we already use JIRA to manage our stuff. Every time we’re going to start new work, we need an epic in JIRA that has a brief, like one pager description of that. Break it down into tasks, execute those tasks. The fact that we documented it, not epic, and that it was approved in a daily standup meeting that all of us were involved in is sufficient for us to satisfy that. I think that procedures can be aligned with the way that the teams are already executing so that it doesn’t mean you’re putting a bunch of overhead in place.
Simrat Singh
You don’t necessarily have to always change things when you’re doing it. In this case, you already kind of had an informal procedure in place. You just documented it. And that was really the new procedure, your documentation in the policy.
Doug Neumann
I’m not a zoom wizard, but I don’t see any, oh, I see one other person say, what’s the cost to get SOC 2 compliant? Well, there are many ways that you can go about doing it as I understand it. Mentioned earlier, I had heard multiple people give me six-figure price tags on what it would take to do it. I would say for us, it’s probably going to be a quarter of that at the end. So, it turned out to be way more affordable than I thought. I put a lot of money into our budget to get it done this year. I’m not even really scratching the surface of that. That said, it’s going to depend on how you do it. And, I think there are some ways you can pay consultants to come in and do a lot of the stuff that we as a team have signed up to do ourselves. That’s really not the way Arpio operates. We’re a bunch of doers. We like to build stuff, even sometimes policies.
We are trying to see if there are any other questions then. Any product changes that you came up with because of this, like to make SOC 2 easier for your customers? One of the things I thought, a misconception I had was that Sim was going to show up and tell us that we have to change our product, but we have to add a bunch of security features into the product or anything like that. We haven’t had to do any of that stuff. The way that our product was engineered for our customers is sufficient for us to get the SOC 2 certification. Our product is quite secure, but we can always be doing more and especially why around things like single sign-on and multifactor authentication and stuff like that we will have in the product, in the not-too-distant future, but they’re not there today, and they aren’t blockers for us to move forward.
A question just came in and said, is there a list of required documentation or policies that need to be in place?
Simrat Singh
Absolutely. In fact, we have a list for SOC 2. We have a list for ISL. We have a list for GDPR. We have a list for HIPAA. We have a list for pivotal. We have a list for all of it.
Doug Neumann
I actually have my Laika policies up here. Okay. I think people can still see the ten policies that we are doing. I don’t know if these P’s are a priority, but I do think of them in this particular order. So, from information security, business, continuity, compliance, configuration management, all of the stuff. Again like this was built into Laika, we didn’t have to go off of these policies. We just had to go review them and iterate. And right-size them for us.
Simrat Singh
Those are the policies, I love them.
Doug Neumann
Great. Well, I think that we are at the end here, it’s been 40 minutes of people listening to me, droning on about compliance, which is probably not the most entertaining way people could have spent this time, but all that said, I appreciate everyone joining us. Sim, I really appreciate you sharing this time, as well as just all of the mentorship you’ve given us as we’ve gone through this process.
