July 8, 2021
Author: Julianna Lamb
Today, we’re excited to announce that Stytch has officially received our SOC 2 Type II certification.
Our SOC 2 Type II report outlines the extensive security and availability controls that Stytch has implemented and continually operates in order to offer our customers an exceptional experience.
We learned a lot going through the process for the first time and wanted to share our findings in case they’re valuable to others preparing for their first SOC 2 process. When done right, SOC 2 can be extremely valuable for establishing best practices and communicating your commitment to security to customers, but it can also be intimidating to get started..
Stytch builds critical infrastructure for our customers, and so security and availability of our platform is of the utmost importance. We knew at some point we’d need to formalize our commitment to this with SOC 2, but how early is too early?
We started laying the groundwork for SOC 2 before we hired our first employees because we wanted to build a culture around security from the beginning and implementing policies only gets harder with more people.
We then spent a couple months trying to figure out when was the right time to actually schedule the audit period. Ultimately, we decided to wait until our product had reached some level of maturity because we wanted the report to be representative of our systems. We iterated a lot on the product and infrastructure during our early alpha period and decided to wait to graduate from that before kicking off the audit period.
A decision you’ll have to make is whether to jump straight to a Type II, like we did, or start with a Type I. We didn’t have immediate time pressure to complete SOC 2 and so, if we were going to spend the time on SOC 2, we wanted to do it right with a Type II.
A Type I certification is much faster because it is a one-time snapshot of your internal practices rather than an ongoing, multi-month audit involved in the Type II certification process. However, its value is relatively minor for SaaS companies because your customers want to know that you consistently and reliably follow best practices.
We use Vanta to help automate some of the SOC 2 process, their integrations and monitoring make it easy to keep an eye on things and ensure that you’re living up to your policies. While they do a lot of the heavy lifting, there are still many things that you’ll need to figure out if they’re relevant or not given your systems and the specific criteria in scope for your audit.
Making sure you’re on the same page as the auditors is key and building a good relationship with them early on makes the audit process much smoother. Asking your auditor lots of questions early on ensures that you’re not just doing the right things but also documenting them appropriately.
If you’re interested in using Stytch, you can get started today by creating an account here. And if you’d like to contact us directly, you can email us at firstname.lastname@example.org.