At Passbase, we take security very seriously. That means we have built security directly into our products! We are constantly performing both internal and external audits and improving our security measures, as well as ensuring we remain up to certification standards.
We are currently working on obtaining SOC 2 Type II reporting and full ISO 27001 certification.
What is SOC 2?
SOC 2 is an auditing framework developed by the American Institute of Certified Professional Accountants (CPA) that outlines standards for handling customer data. SOC 2 has 5 service principles, which include:
- Security: Ensures the Passbase platform is secure against data breaches.
- Privacy: All information collected by Passbase must be in accordance with the privacy principles specified by the CPA.
- Availability: Ensures that Passbase is available for use and will be used according to the agreed to terms.
- Processing integrity: Ensures that Passbase's processing is complete, accurate, well-timed, and authorized.
- Confidentiality: Ensures that the information held by Passbase is kept confidential.
A SOC 2 report confirms that organizations have security procedures in place to protect the privacy of their users' data. SOC 2 Type II reporting assures Passbase users that our platform is secure against potential threats, that data is delivered accurately, and that all information is stored confidentially. SOC 2 is meant to give Passbase clients transparency around the security measures that we have in place to protect your users' data for your own reporting purposes and to build trust with your end users.
The report focuses on the following areas:
- Infrastructure: The physical and hardware components that support Passbase and allow us to deliver our services.
- Software: The operating software and programs that Passbase uses to facilitate data processing.
- People: The personnel involved in the management, security, governance, and operations at Passbase delivering services to our users.
- Data: The information processed within the Passbase platform.
- Procedures: The manual or automated procedures that Passbase has in place to ensure the platform is able to run day-to-day.
The auditing process takes several months and is an independent audit performed by a certified third-party auditor. We expect to have a full SOC 2 Type II report by late 2021.
For more information, please see the CPA website here.
What is ISO 27001?
ISO 27001 is a security standard created by the International Organization for Standardization and International Electrotechnical Commission.
ISO 27001 certification assures users that Passbase is managing the personal details they require to perform verifications in a secure way. To obtain this certification, Passbase must show that we have met the requirements for establishing, implementing, maintaining, and continually improving our platform.
ISO 27001 certification requires that Passbase:
- Examines any information security risks, taking account of any potential threats, vulnerabilities, and impacts.
- Designs and implements comprehensive information security controls to address those risks.
- Adopts processes to ensure that the information security controls continue to meet Passbase's security needs on an ongoing basis.
ISO 27001 certification is done in three stages:
- Stage 1 is a preliminary, informal review of the Passbase platform and serves to familiarize the auditors with Passbase and vice versa.
- Stage 2 is a more detailed and formal compliance audit. This audit will compare Passbase with the security requirements specified in the ISO 27001 certification. The auditors will look to ensure that the Passbase platform has been designed and implemented with a high level of security. Passing this stage will result in Passbase being certified as compliant with ISO 27001.
- Ongoing involves follow-up reviews or re-assessments, done at least annually, to confirm that Passbase remains up to standard.
We expect to be fully certified by the end of 2021.