A SOC 2 audit is an independent, third-party assessment of a company's system profile and security control effectiveness. It's also a validation of its administrative, technical and logical controls. The process represents a significant expenditure of time and money. Building policies, hardening systems, and documenting relationships takes many months, thousands of dollars, and involves essentially every part of a business' operations.

Becoming SOC 2 and GDPR compliant was important to the Confection team because of our focus on compliance, trust, and responsible data handling.

"Why is security important to Confection? What prompted us to undertake the SOC 2 journey? It's simple: Our team believes in privacy first," says Quimby Melton, Confection’s co-founder and CEO.

"We're working hard to build the new standard by which personal data is collected, stored, and distributed online," says Quimby Melton, Confection’s co-founder and CEO. "We want to help companies thrive in the new reality, and we want to give people greater control over what they share online."

"From the beginning, Bruno (Confection's co-founder and CTO) and I wanted to build Confection in a way that was ultra scalable and ultra secure. Our technology partners at Heroku and Snowflake give us the ability to scale up rapidly and operate securely. The talented security researchers in our developer community continually test and harden our system. And our partners at Vanta, Dansa D'Arata Soucia, and X80 make sure we're compliant with policy and security best practices. Having strong, world-class credentials like SOC 2 helps underscore our commitment to international data privacy laws, the personal preferences of everyday users, and rebuilding trust between people and the businesses they rely on.”

"To establish ourselves as an enterprise-level player and to show everyday web users we're serious about privacy, SOC certification and GDPR compliance were must haves for our team."

We began the SOC 2 certification process in November of 2021. It was a team-wide effort that involved creating dozens of unique policies, defining onboarding and offboarding workflows, identifying and addressing risks, bringing our application and development partners into alignment with security best practices, and creating various SLAs.

Vanta's templates and application helped us keep our SOC 2 journey on track and sped up the time it took to complete hundreds of different tasks. Achieving a SOC 2 is a major milestone for any organization interested in improving their security (and proving that security posture to customers or prospects). But the cost and time associated with pursuing a SOC 2 can pose a daunting challenge for fast-growing startups like ours. Vanta really helped us streamline the process by automating the collection of up to 90% of the evidence we needed to prove our compliance. They gave us clear guidance and a single place to store our many policies. All told, Vanta helped us prepare for our SOC 2 audit quickly and painlessly. We were far better off working with them than we were trying to complete the process on our own.

Our audit timeline follows:

Policy Creation (November-December 2021)
During this phase, we documented all the policies, procedures, and operational controls we rely on.

Inventory Creation, Vulnerability Monitoring, and Vendor Assessment (January 2022)
We created a list that outlines all our application and vendor relationships. This includes all PaaS services, code repos, and partnership arrangements. During this phase, we also fine-tuned our bug bounty, pen testing, and vulnerability monitoring systems.

Third-Party Audit (March 2022)
Our auditing partners at Dansa D'Arata Soucia reviewed everything to ensure we were indeed compliant with SOC 2 mandates.

During the entire five-month process, we learned the importance of dedicating the entire enterprise to this effort. SOC 2 is a marathon, not a sprint. We kept the process moving forward by setting aside a few hours per week to work on tasks. This kept our team from feeling overwhelmed but still allowed us to make a lot of progress quickly. Ultimately, the SOC 2 certification process was a team-building exercise that increased cohesion, gave everyone greater visibility into roles and responsibilities, and increased trust among our team and stakeholders. We entered into this exercise thinking it was primarily focused on the outside world. In reality, it wound up bringing us closer together internally. And, at the end, we all celebrated together.

The SOC 2 certification process also had a profound effect on our application. "It's like a whole new product," Bruno said at one point. We didn't anticipate how much the process would positively impact Confection on the product level. We're now policy-driven and running more securely than ever. We didn't expect it, but this was a very real byproduct of the SOC 2 certification process.

Confection collects, stores, and distributes data in a way that's unaffected by client-side disruptions involving cookies, cross-domain scripts, and device IDs. It's also compliant with global privacy laws so it’s good for people too.