SOC Reporting: How SaaS Companies Like Vena Help To Ensure Customer and Partner Data Is Safe and Secure

December 6, 2022 |
by Hugh Cumming

In today’s digital age, data is at the center of nearly every organization. Cloud computing has brought incredible benefits for businesses, including increased collaboration, insights and flexibility. It has, however, also brought security risks that can be quite costly. 

The average cost of a data breach in 2022 is $4.35 million USD, according to the latest Cost of a Data Breach Report from IBM Security, based on research from Ponemon Institute. In addition to the financial hit, a data breach can result in loss of trust from partners and customers. What’s more, the increased focus on data privacy due to GDPR in Europe and the California Consumer Privacy Act (CCPA), means that security breaches could also result in steep fines or litigation. 

The average cost of a data breach in 2022 is $4.35 million USD.

Customers and partners often seek assurances that an outside organization can be trusted with their data. For Software as a Service (SaaS) companies, such as Vena, that manage a large volume of diverse data, adherence to System and Organization Control requirements, also referred to as SOC, can help establish a common language of trust. 

What Is a SOC Report? 

At its core, SOC reports are independent, third-party audit reports that demonstrate how an organization achieves key compliance controls and objectives based on criteria defined by the American Institute of Certified Public Accountants (AICPA). For example, they can help validate, among other things, that a company’s internal security practices meet specific criteria. These practices include both technology and human protocols. 


SOC reports are independent, third-party audit reports that demonstrate how an organization achieves key compliance controls and objectives based on criteria defined by the American Institute of Certified Public Accountants (AICPA).

SOC 1 Report

There are different kinds of SOC audits.  A SOC 1 audit examines and reports on an organization’s control environment that may be relevant to its customers’ internal controls over financial reporting.

SOC 2 Report

A SOC 2 audit looks at an organization’s control environment as it relates to established trust criteria, including security for a service offering.

SOC audits can be further broken into two types: a Type 1 audit reviews the control environment at a single point in time, whereas a Type 2 audit looks at the control environment over a defined period of time, typically from six to 12 months, depending on the needs of the organization and intended users. 


Third-Party Validation

Since Vena operates in the corporate performance management space and deals with sensitive data, our customers expect us to implement appropriate organizational safeguards designed to protect the financial, operational and other organizational data they bring into our Complete Planning platform. Type 2 SOC reports provide an independent assessment that can help customers assess whether the control environments of vendors are suitably designed and operating effectively for their needs. 

When Vena underwent its SOC evaluation, we partnered with a top accounting firm to ensure that our audit was conducted by an experienced and respected third party. We’ve always developed Vena’s network infrastructure and tech stack with security in mind, so the road to issuing our Type 1 SOC report was a short one once we started the process. 

As part of our SOC 2 Type 2 audit, we looked at both human-based and technology-based enterprise risk management measures as they related to the security trust principle. The examination included evaluating the technology we have in place, assessing the internal training for all our staff and reviewing the outputs from ongoing incident response exercises with our technical and crisis management teams.


Security is a process and no organization can sit back and assume that it is 100% secure. 



Achieving a level of security that can be independently verified, such as SOC, is a continuous journey that never truly ends. Our teams are regularly updating our defensive technologies, conducting penetration tests, reviewing privileged access grants and generally staying on top of the latest threat intelligence. Security is a process and no organization can sit back and assume that it is 100% secure. 


Executive Support 

For companies pursuing SOC 2 compliance (or considering going through the audit process), it is important to have both executive buy-in and full support and commitment across the organization from the ground up. This was the case for us at Vena. Our entire team were engaged champions of the process. 

Conducting a SOC evaluation serves a number of valuable functions. It establishes a framework, cadence and discipline of ongoing review which can help protect an organization from both financial and reputational damage and ensure that authored policies are followed as part of the running business. Vena continues to strengthen our Complete Planning platform, which is designed to ensure our users’ data is safe, secure and always available. 


To learn more about Vena’s commitment to customer trust, visit our Customer Trust page.  

 

 

Recommended

Press Release

Black History Month at Vena: Coming Together To Show Up, Speak Up and Team Up

February 1, 2023 |

Read Release

Press Release

IDC MarketScape Positions Vena as a Major Player in Enterprise Planning, Budgeting and Forecasting Applications

January 19, 2023 |

Read Release

Press Release

Vena Named a Challenger in the 2022 Gartner® Magic Quadrant™ for Financial Planning Software

January 12, 2023 |

Read Release