Considering that the average data breach costs $3.86 million, and data breaches are becoming increasingly sophisticated, ask yourself: What are you doing to protect your confidential contracts from falling into the wrong hands? Better yet, what are your CLM software partners doing to protect your sensitive contract data?
As a contract management software provider, we’re committed to taking all the right steps to protect your contracts. That’s why we recently completed a SOC 2 Type II audit: to ensure that we’re adhering to the strictest industry security standards, and reassure our clients that our security controls are safeguarding their contracts.
But what is the SOC 2 Type II audit, and what does this mean for our clients? Katrina Itle, IntelAgree’s Chief Operating Officer, shares the answers in this interview:
First, what is a SOC 2 Type II Audit?
SOC 2 is a third-party audit of a company’s IT security controls. An organization can be audited on any of the five following principles: Security, availability, processing integrity, confidentiality, and privacy.
IntelAgree, for example, was audited on security, availability, and confidentiality because these are the principles that our auditors, A-LIGN Assurance, feel are most relevant to our platform.
There are two types of SOC 2 audits:
- Type 1: This is more of a review; auditors will investigate and ensure you have the appropriate controls in place. The report will list out all of the controls an organization uses to protect IT security.
- Type 2: This audit is more extensive; auditors not only ensure that the controls are in place, but also conduct testing to prove that the controls are working over a period of time. On a Type 2 report, you’ll see the security controls an organization has in place, and the results from the auditors’ testing.
What does the SOC 2 Type II auditing process look like from beginning to end?
First, the auditors come in with a list of objectives outlined by the creators of the SOC 2 audit — the American Institute of Certified Public Accountants (AICPA). The auditors then review each item on the list — like control, monitoring, and risk assessment objectives — to understand what controls an organization has established to meet these objectives. Then, they ask for evidence to support the controls in place. Examples include:
- Contracts with sub-processors
- Proof of customer communications
- Evidence of business continuity and disaster recovery testing
Why is SOC 2 Type II more important now than ever before?
Businesses are moving away from on-prem software — where everything is stored in physical datacenters and the business itself has tight control over security — to software-as-a-service (SaaS).
And SaaS is different.
Moving to SaaS means you no longer have the same degree of control. People outside of your organization can touch your data. Not only do you have service providers hosting and maintaining software on your behalf, but their sub-processors also have access to your data.
That’s why SOC 2 compliance has become so important: It ensures that the outsiders who have access to your data are being responsible. It verifies that cloud service providers and their vendors are being responsible with:
- Encryption access controls
- Multi-factor authentication
- Intrusion detection
- Performance monitoring
- Disaster recovery process monitoring
In other words, SOC 2 compliance reassures businesses that their cloud service providers are establishing the right security controls, and that they’re holding their sub-processors accountable for meeting those standards, too.
Why is SOC 2 Type II compliance particularly important in the SaaS CLM space?
It’s all about responsibility.
Clients entrust CLM providers with their contracts, which house sensitive, confidential information. In return, it’s our responsibility as the CLM provider to ensure that we have the necessary security controls in place to protect their data.
I think there are a lot of SaaS companies that claim to keep data secure, but if you look under the covers, there’s no verification that they are really protecting their clients’ data to an industry standard. Many of these companies create an illusion of control by relying on the controls of their subprocessors, which means nothing if you are lacking risk management, access control, and change management in your own organization.
SOC 2 compliance, on the other hand, verifies that we are adhering to the most current, stringent industry standards — giving our clients peace of mind about their contract security.
What does IntelAgree’s SOC 2 Type II compliance mean for clients?
It proves to our clients that we are doing what we say we’re doing for them: Keeping their data secure.
Typically, before our clients ever see our SOC 2 report, we answer their security questionnaires so we can gauge what security measures they believe we should be taking. Our SOC 2 Type II compliance confirms that we’re taking the actions our clients want us to take — and that we’re doing it on an annual basis.
How should companies request a SOC 2 Type II report and vet their SaaS CLM vendors?
If you’re vetting a SaaS CLM provider, there are three things you need to do:
- Establish your own company’s information security policy and procedures.
- Request the vendor’s SOC 2 Type II report. If the vendor doesn’t have the SOC 2 report, then request its ISO27001 report.
- Create a vendor questionnaire to ensure the CLM provider’s security controls meet or exceed your own. This also drives additional conversations or security questions, so you can get a better idea of how the vendor handles security and data protection.
What other security measures is IntelAgree taking to protect client data?
From a security perspective, achieving SOC 2 Type II and HIPAA compliance was phase one of our long-term plan.
Now, we’re moving into privacy: We are already GDPR compliant as a data processor, compliant with the California Consumer Privacy Act (CCPA), and compliant with Canadian privacy laws. We’re aiming for full GDPR compliance and full CCPA compliance down the road, and we’ll be working toward our ISO 27001 certification in the near future.
Last but not least, we’re also joining the Cloud Security Alliance — a global organization that defines standards, certifications, and best practices to ensure secure cloud computing environments.
Choose a CLM Software Provider You Can Trust
Data security shouldn’t be an afterthought in contract management — it should be a priority. That’s why you need a CLM software partner that considers data security a priority, too.
Contact us to learn more about how we protect our clients’ contracts, and how companies like yours are optimizing their contract lifecycle management with our AI-powered platform.