As a Salesforce Partner, priorities are often revenue generation, marketing, product design, tech stack, functionality, scaling, and customer satisfaction. However, it is all too common for cybersecurity to be an afterthought, only addressed when mid-market or enterprise clientele start inquiring about cybersecurity controls and independent third-party attestation reports.
As we expanded our reach into these markets, we were asked on multiple sales cycles to complete rigorous security questionnaires and prove our SOC 2 compliance. This prompted us to search for a partner that could guide us through the process of pursuing SOC 2 compliance and other frameworks like GDPR and ISO 27001. After conducting thorough due diligence, we selected Drata as our partner.
Drata’s core value of trust, coupled with their deep industry experience and impressive growth trajectory (including unicorn status and funding from Salesforce Ventures and other Series C investors), made them the ideal fit. We are excited to be working with their team as we pursue SOC 2 Type 1 and Type 2 reports and will be sharing more about this experience along the way.
So what is SOC 2?
As a Salesforce Partner, achieving SOC 2 compliance is a critical step towards ensuring the highest level of data security for our clients. SOC 2 is widely recognized as the gold-standard for data security, and was developed by the American Institute of CPAs (AICPA) to define criteria for managing customer data based on five “Trust Service Criteria“:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
While SOC 2 reports are unique to each organization and are aligned with their specific business practices, they all aim to comply with one or more of these trust principles. These internal reports provide crucial information to our clients, regulators, business partners, suppliers, and others about how we manage their data. If you’re interested in learning more about SOC 2, we recommend downloading this Beginner’s Guide for an in-depth overview.
Why should Salesforce Partners Prioritize SOC 2 Compliance?
According to Troy Markowitz, one of the co-founders at Drata, SAAS Startups should seek SOC 2 Compliance for a few reasons:
1. Demonstrate to Enterprise Customers that cybersecurity is a Primary Focus
Companies, especially larger ones, expect their vendors to have strict cybersecurity requirements and are more commonly asking for third party validation. We have found that this is one of the most important issues at the C-suite level within enterprise level organizations.
2. Avoiding Significant Cybersecurity Gaps
Without an independent attestation, Salesforce Partners may prioritize ease-of-use over security, which can lead to significant cybersecurity gaps. Adhering to strict internal controls from the beginning can prevent process re-engineering later as the company scales operation with people, processes, and technology.
3. Instill a Culture of CyberSecurity from the Start
SOC 2 audits require organizations to consider cybersecurity with every decision and change made. This promotes a culture of cybersecurity from the start, allowing companies to consider solutions that can integrate with their monitoring platforms as they invest in their tech stack.
4. Streamline Processes and Controls to Ensure Scalability
In addition to cybersecurity controls, SOC 2 audits also require several types of entity-level controls to be in place, such as HR onboarding and off-boarding procedures, security awareness training, performance evaluations, policy reviews, and annual security risk assessments. Implementing these controls not only strengthens cybersecurity measures but also streamlines processes for scalability.
5. Gain a Competitive Advantage
Enterprise customers will expect Salesforce Partners to have a SOC 2 audit performed annually and will not sign with vendors until the audit is complete. By having a SOC 2 report in your hands prior to engaging prospects, you will make it easier for your enterprise prospects to vet you as part of the sales cycle compared to your competition. With a SOC 2 report, enterprises will spend less time performing due diligence, resulting in a shorter sales cycle.
When companies work with a Salesforce Partner, they are entrusting them with their technology platforms, customers, financial operations, and a whole host of other critical infrastructures and information. We understand this importance which is why we have decided to become a SOC 2 compliant Salesforce Partner.
If you are looking for a SOC 2 Compliant Salesforce Partner – please keep us in mind. We are working hard on this process and will be transparent with you when we share our progress.
If you are a Salesforce partner and have questions on our experience with Drata and SOC 2 and are interested in learning how your organization can pursue SOC 2 compliance, you can reach out to me directly via our contact form or on LinkedIn. I would be happy to share more information with you.
