SOC 2 Type 2: A Company-Wide Commitment to Security

by Lisa Hall January 16, 2020 | 2 min read

From open-sourcing our employee security training to sharing security best practices, PagerDuty is committed to contributing to the security community as a whole and considers security as a company-wide commitment. Our customers trust us to keep their data safe and secure. And on December 13, 2019, we took another step in embracing that trust by completing our SOC 2 Type 2 examination.

The SOC (Service Organization Controls) 2 Type 2 examination was conducted by an independent, third-party accounting and auditing firm, which evaluated PagerDuty’s processes, procedures, and controls for security and availability of our on-call management platform and Event Intelligence Services from May 1, 2019 to October 31, 2019.

SOC 2 Type 2 in Detail

So what is SOC 2? Developed by the American Institute of CPAs (AICPA), SOC 2 is a common compliance framework specifically designed for service providers that store customer data in the cloud. It requires companies to establish long-term, ongoing internal practices regarding the security of customer data.

A SOC 2 Type 2 report is an industry-recognized report that provides reasonable assurance that PagerDuty controls are suitably designed,operating effectively as necessary, and meet the following criteria:

  • Security. The service is protected against unauthorized access.
  • Availability. The service is available for operation and use as committed or agreed upon.

Type 1 vs. Type 2

When considering getting SOC 2 certified, companies can choose between Type 1 or Type 2. Type 1 is a “snapshot in time,” which reports that a company had appropriate controls in place at a specific point in time. PagerDuty received our SOC 2 Type 1 report in early 2019.

A Type 2 report, on the other hand, reports that a company has demonstrated continued adherence to appropriate controls over a period of time. At PagerDuty, we always say security is everyone’s jobs—our Engineering, Security, and Operations teams came together to look at our security processes and platform availability holistically to ensure we had the appropriate controls and processes in place for our SOC 2 Type 2 examination.

Why PagerDuty Moved Forward With Type 2

With headlines about data breaches, cybersecurity, and privacy published on a seemingly daily basis, companies are rightfully concerned about security, privacy, and data protection when it comes to cloud/SaaS-based providers. By undergoing this rigorous scrutiny of our security practices, we demonstrate our commitment to protecting our customers and that we value the trust you place in us.

Vendors and partners with compliance requirements may request and leverage PagerDuty’s SOC 2 Type 2 report as part of their compliance strategy.