{"id":1150,"date":"2021-11-09T17:56:09","date_gmt":"2021-11-09T17:56:09","guid":{"rendered":"http:\/\/box5442.temp.domains\/~arpioio\/?p=1074"},"modified":"2021-12-07T16:59:42","modified_gmt":"2021-12-07T16:59:42","slug":"soc-2-for-saas-the-information-security-policy","status":"publish","type":"post","link":"https:\/\/arpio.io\/staging\/8013\/soc-2-for-saas-the-information-security-policy\/","title":{"rendered":"SOC 2 for SaaS- The Information Security Policy"},"content":{"rendered":"\n

If you haven\u2019t read post 1<\/a> in this series, the tl;dr is that we\u2019re sharing the details of our SOC 2 compliance journey so you\u2019ll better understand what the process entails.\u00a0 We\u2019re looking at this policy-by-policy, explaining what our policy says and how we\u2019re complying with it.<\/p>\n\n\n\n

Let\u2019s start with the information security policy. This is the policy that our customers are most interested in when we\u2019re talking about Arpio and how we are being good stewards of their data.\u00a0<\/p>\n\n\n\n

Our draft policy came from Laika, but it had to be right-sized for a small SaaS business. Coming in, we felt that we were in pretty good shape and have been directionally aligned with where we should be.\u00a0 As an organization, we\u2019re lucky to have technical leadership that has dealt with compliance before.\u00a0<\/p>\n\n\n\n

The security policy mandates a set of security practices across our organization, both within the production environment, where our SaaS product runs, and our IT environment, consisting of our laptops and other devices.\u00a0 It\u2019s mostly about following current best practices.<\/p>\n\n\n\n

The\u00a0 information security policy covers things like:<\/p>\n\n\n\n