October 5, 2023
Paradigm is excited to share the news that we have passed a SOC2 Type 2 audit! This proves to you, our customers, investors, and partners, that we meet a certain bar for business processes and for the security of our infrastructure.
SOC stands for “Systems and Organization Controls 2”. It was created in 2010 by the American Institute of Certified Public Accountants (AICPA). According to the AICPA, reports in the SOC family “are designed to help [...] build trust and confidence in the service performed and controls related to the services through a report by an independent CPA.” The SOC2 report in particular is “intended to meet the needs [...] of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy.” Put in simple language, if a business has successfully been through the SOC2 process, you should be able to trust that business has its act together.
There are two kinds of SOC2 audit - “Type 1” and “Type 2”. Type 1 is for a single point in time, and Type 2 is where we maintain compliance over a period of time. We opted for Type 2, and just emerged from our three month monitoring period which spanned from June 1st to August 31st. We’ll adopt a yearly cadence for the future.
Here are a few examples of the SOC2 controls that are now in place at Paradigm:
- Policies. We have 23 corporate policies in place, covering everything from “Acceptable Use” to “Information Security” to “Vulnerability Management”. These policies are shared throughout the company and signed and agreed to by everyone.
- MFA on Accounts. We have had Multi-Factor Authentication required for all internal accounts for quite some time now. This makes it official.
- Infrastructure Security. This involves things like encryption of data at rest, encryption of data in transit, firewalls, backups, log management, etc.
- Employee Security. Employee laptops need to have hard disk encryption, a screen lock turned on, use a password manager, have antivirus software installed, and have auto-updates turned on. This is enforced through an agent on employee machines. Employees must attend security training.
- Application Security. Annual penetration tests are required, as are quarterly vulnerability scans.
- Devops Security. The items here reflect good software development practices, such as our use of a version control system, reviewing and testing code changes, that we have a release process, a limited number of engineers who can release code, and a software development life cycle policy.
- Human Resources. We do background checks, have onboarding and offboarding processes, and an org chart.
There is a special language to the audit that is, admittedly, unfamiliar and opaque to the casual reader. The important part is the “Opinion” section, in which our auditor gives their opinion that
- The description presents Paradigm’s Platform
- The controls stated in the description were suitably designed [...] to provide reasonable assurance that Paradigm’s service commitments and system requirements would be achieved
- The controls stated in the description operated effectively
In other words, we have controls in place to provide assurance that we’re performing at a certain level of business processes and security, those controls are reasonable, and those controls are functioning well.
If you would like to see our SOC2 report, please ask your account representative or our solutions team.
Getting a SOC2 audit was a significant step in demonstrating the security of our product. We hope this successful audit gives you more confidence in Paradigm as a business, and we hope it makes you rest easier with us as a customer, investor, or business partner.