Considering that the average data breach costs $3.86 million, and data breaches are becoming increasingly sophisticated, ask yourself: What are you doing to protect your confidential contracts from falling into the wrong hands? Better yet, what are your CLM software partners doing to protect your sensitive contract data?
As a contract management software provider, we’re committed to taking all the right steps to protect your contracts. That’s why we recently completed a SOC 2 Type II audit: to ensure that we’re adhering to the strictest industry security standards, and reassure our customers that our security controls are safeguarding their contracts.
But what is the SOC 2 Type II audit, and what does this mean for our customers? Katrina Itle, IntelAgree’s Chief Operating Officer, shares the answers in this interview:
Katrina Itle, IntelAgree COO
SOC 2 is a third-party audit of a company’s IT security controls. An organization can be audited on any of the five following principles: Security, availability, processing integrity, confidentiality, and privacy.
IntelAgree, for example, was audited on security, availability, and confidentiality because these are the principles that our auditors, A-LIGN Assurance, feel are most relevant to our platform.
First, the auditors come in with a list of objectives outlined by the creators of the SOC 2 audit — the American Institute of Certified Public Accountants (AICPA). The auditors then review each item on the list — like control, monitoring, and risk assessment objectives — to understand what controls an organization has established to meet these objectives. Then, they ask for evidence to support the controls in place. Examples include:
Businesses are moving away from on-prem software — where everything is stored in physical datacenters and the business itself has tight control over security — to software-as-a-service (SaaS).
And SaaS is different.
Moving to SaaS means you no longer have the same degree of control. People outside of your organization can touch your data. Not only do you have service providers hosting and maintaining software on your behalf, but their sub-processors also have access to your data.
That’s why SOC 2 compliance has become so important: It ensures that the outsiders who have access to your data are being responsible. It verifies that cloud service providers and their vendors are being responsible with:
In other words, SOC 2 compliance reassures businesses that their cloud service providers are establishing the right security controls, and that they’re holding their sub-processors accountable for meeting those standards, too.
It’s all about responsibility.
Customers entrust CLM providers with their contracts, which house sensitive, confidential information. In return, it’s our responsibility as the CLM provider to ensure that we have the necessary security controls in place to protect their data.
I think there are a lot of SaaS companies that claim to keep data secure, but if you look under the covers, there’s no verification that they are really protecting their customers’ data to an industry standard. Many of these companies create an illusion of control by relying on the controls of their subprocessors, which means nothing if you are lacking risk management, access control, and change management in your own organization.
SOC 2 compliance, on the other hand, verifies that we are adhering to the most current, stringent industry standards — giving our clients peace of mind about their contract security.
It proves to our customers that we are doing what we say we’re doing for them: Keeping their data secure.
Typically, before our customers ever see our SOC 2 report, we answer their security questionnaires so we can gauge what security measures they believe we should be taking. Our SOC 2 Type II compliance confirms that we’re taking the actions our customers want us to take — and that we’re doing it on an annual basis.
If you’re vetting a SaaS CLM provider, there are three things you need to do:
From a security perspective, achieving SOC 2 Type II and HIPAA compliance was phase one of our long-term plan.
Now, we’re moving into privacy: We are already GDPR compliant as a data processor, compliant with the California Consumer Privacy Act (CCPA), and compliant with Canadian privacy laws. We’re aiming for full GDPR compliance and full CCPA compliance down the road, and we’ll be working toward our ISO 27001 certification in the near future.
Last but not least, we’re also joining the Cloud Security Alliance — a global organization that defines standards, certifications, and best practices to ensure secure cloud computing environments.
Data security shouldn’t be an afterthought in contract management — it should be a priority. That’s why you need a CLM software partner that considers data security a priority, too.
Contact us to learn more about how we protect our clients’ contracts, and how companies like yours are optimizing their contract lifecycle management with our AI-powered platform.