Service Organization Controls 2 or SOC2 is a security certification. DoltHub recently received our SOC2. We even have a Trust page to show for it. You'll have to request access but we're happy to provide it.

This blog will walk you through what SOC2 is, why it matters, and how we got certified.

What is SOC2?

In our SOC2 audit company's, Advantage Partners, words:

SOC2 is a framework governed by the American Institute of Certified Public Accountants (AICPA). With a SOC2 audit, an independent service auditor will review an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC2 report communicates a company’s commitment to data security and protection of customer information.

How about in my words? OK. Here goes.

SOC2 is a security standard. SOC2 recommends documentation, controls, tools, and processes that take your company to a minimum security standard. These artifacts are then reviewed by an independent auditor. If the auditor finds no gaps, your company receives SOC2 certification. In order to be SOC2 yourself, all your software vendors need to be SOC2 as well. The rationale being, you are only as secure as your weakest vendor. This requirement drives SOC2 certification through the software stack.

Why SOC2?

Software security is important. Having the correct documentation, controls, and processes to ensure software security is good in and of itself. SOC2 helps you determine and refine your company's security posture.

Why SOC2 now? As a vendor of software, particularly Hosted Dolt, potential customers' security teams would ask if DoltHub was SOC2. Because we were not, these customers either refused to adopt Dolt altogether or would opt to host Dolt themselves within their own networks. SOC2 became a requirement for selling a hosted offering to other software businesses. This requirement drove the urgency of becoming SOC2 compliant here at DoltHub.

How do you Get SOC2?

SOC2 compliance is gained through adherence to a complex set of rules and requirements. The best way to see the scope and scale of the effort is to visit the DoltHub Trust page and click through some of the controls. Each of these controls requires documentation and process to prove they are being met.

I'm not certain we here at DoltHub could have pulled off certification without the help of a tool. There are hundreds of individual tasks to work through, including documentation, ensuring employees have proper training, and enforcing minimum standards on all company computer hardware. A tool really helps communicate the requirements, organize compliance, and present results appropriately.

There are a bunch of paid tools. After some research and some haggling on cost, we went with Vanta. There were some llama jokes. And, we liked there web interface and general approach.

Once you have a tool to help you through the requirements, you then need an auditor. Usually the tool vendor has a set of auditors they work with. The audit has an additional associated fee. We went with Vanta's recommended audit partner, Advantage Partners.

How long does it take?

We started in Q4 2023. It took about five to six months to work through all the checklists. We had one dedicated project manager, our Sales person Brian, who has a limited security background but strong annoying background. Our co-founder, Aaron, is our security and infrastructure expert so he ran point on engineering side. I also contributed to the documentation and review. It was a pretty heavy undertaking, approximately eight total person weeks of effort.

Once we submitted for audit, it was another 6-8 weeks to complete the audit. We had one audit finding related to our automated Pull Request approval mechanism that was deemed ok after some explanation. So, once we hit the audit phase it was a lot of elapsed time but not much work.

Customer Trust

The main customer benefit is the trust gained by knowing DoltHub has a software security certification. Vanta provides a DoltHub-branded trust page where you can dive a bit deeper in DoltHub's controls and processes. I recommend perusing the page as the best way to understand what SOC2 entails

Conclusion

DoltHub is SOC2 compliant. Hosted Dolt customers were asking for it. It took a couple quarters and a bunch of engineering effort. Ready to use Hosted Dolt now that DoltHub is SOC2? Go ahead and deploy an instance or come talk to us about it on our Discord.