There’s no question that we strive to deliver quality — in our products, services, and day-to-day operations. But, of course, it’s always nice to hear from a rigorous and impartial source that our information security and privacy practices are exceptional.
That was the case earlier this year when AvePoint earned the System and Organization Controls (SOC) 2 Type II attestation. It’s the second consecutive achievement for us; the first certification came last year.
As a public company, we hold ourselves to a higher standard, and this audit, conducted by an independent CPA firm, confirms that AvePoint meets the strict standards for the handling of highly sensitive customer data established by the American Institute of Certified Public Accountants (AICPA).
We’re thrilled that this is our first attestation as a public company. Here are three reasons we are so proud of our SOC 2 Type II attestation, and what it means for our customers and partners.
1. SOC 2 Type II Is Today’s Security Standard
A McKinsey report found that most enterprises aspire to have $8 out of every $10 for IT hosting go toward the cloud by 2024. As more organizations rely on cloud-based solutions and trust third-party providers to safely handle their sensitive information, there is an increased need for criteria to define sufficient data protections and effective internal controls.
But we need more than a checklist of necessary security and privacy requirements; we need a value judgment from an expert, proving not only the requirements are in place, but that they are robust and sound.
Enter SOC 2 Type II. This critical designation sets the standards for today’s security excellence. When completing their review, the auditors ensure vendors practice high-level and reliable data security measures across the organization and verify the integrity, availability, and confidentiality of the data management processes and procedures.
2. The Audit Is a Rigorous, Evidence-Based Test
SOC 2 Type II attestation is no easy feat. The audit puts your company and products under a microscope to ensure you do what you say and can prove it.
AvePoint’s audit period ran from the entirety of 2021. During the audit, the independent reviewers looked at all aspects of our security and privacy program operations, from software and infrastructure to communications and monitoring. Examples of controls reviewed include prevention of authorized access, protection of confidential or proprietary data, documented plans for disaster recovery and incident handling, and sensitive handling of personal information, among many others.
It was a thorough review, to say the least.
AvePoint not only passed, but our report had “no expectations,” which means that in the full year of observing the fine details of our operations, the auditors found no issues and every control that was tested met and exceeded expectations. That’s a strong vote of confidence.
3. Soc 2 Type II Enables Customers to Assess the Risk Associated With an Outsourced Service
When an organization passes a SOC 2 Type II audit, its customers have assurance from a third party that the company has security controls and practices in place to ensure the highest levels of protection for clients’ sensitive data.
As a security vendor, we have spent years developing products that help our customers better protect and secure their data, so we know a thing or two about security and privacy. While we are confident our policies and procedures protect our clients’ sensitive data beyond professional doubt, it was important to us to have an independent firm review and verify this for our customers.
The successful completion of this audit is proof that we don’t just sell security and privacy products — we practice what we preach. It also illustrates our ongoing commitment to creating and maintaining a secure operating environment for our clients’ confidential information. This successful attestation should give you peace of mind that your data is safe with us, no matter the size of your organization or the AvePoint solutions you use.
We’re proud of this attestation, but it is not an endgame. Security and compliance are constant and iterative, to be maintained by all employees, every day. We will continue to honor our longstanding commitment to privacy and security by undergoing additional assessments of our practices, championing security best practices, and further integrating them into the culture of the company.