SOC 2 Compliance & Certification

FinFit’s annual SOC 2 report provides an independent 3rd party review of security & confidentiality controls and operational effectiveness of those controls, according to standards of the American Institute of Certified Public Accountants (AICPA).

What is a SOC 2 Type II Compliance?

FinFit’s SOC 2 Type II report covers industry best practices for security and confidentiality including:

Senior Management’s continuous review and awareness of information security
Periodic risk assessments and continuous vulnerability scans
Review of subservice organizations’ 3rd party security audits
Mandatory employee security training and security policy awareness
Comprehensive Two Factor Authentication (2FA), monitoring, patching, logging, anti-malware, backups, disaster recovery, and network security
Firewalls, security appliances, encryption, data leakage prevention and role-based access controls safeguarding data
Advanced application penetration testing
Rigorous change control governance with formal deployment processes
Over 160 industry best practice controls audited by credentialed 3rd party security experts

Why is SOC 2 certification important?

SOC 2 Type II reports are an internationally recognized standard for assessing information technology security. The recurring SOC 2 audits ensure that FinFit’s security practices are consistently reviewed by experts and improved to meet a rigorous standard. Organizations should request proof of SOC 2 Type II reports, ISO 27001 certificates, or other industry-standard security framework before sharing data with 3rd parties. The absence of 3rd party security audits/certifications implies that an organization is self-monitoring and security practices can vary widely.

How often is FinFit audited/evaluated?

Audits are performed annually.