Observe Is Now SOC 2 Certified!

By Ross Lazerowitz,March 29, 2021

We are happy to announce that Observe is now SOC 2 Type 2 certified. This is a crucial step in providing our customers with transparency about our commitment to privacy and security.

What is SOC2?

System and Organization Controls for Service Organizations 2 (SOC2) is a set of information security compliance standards developed by the American Institute of CPAs (AICPA.) It defines criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

SOC2 audits are performed by independent firms using the standards defined by AICPA. Observe engaged The Cadence Group for our SOC2 audit. They looked at our controls over 6 months and verified our internal processes. We also contracted with The NCC Group, a leading global cybersecurity firm, for an annual penetration test of the Observe service.

How do we use Observe for SOC2 compliance?

We had a little help from our friends. Vanta, an automated security and compliance tool, significantly speeds up the audit process. Vanta connects to many of the services we use (Snowflake, JIRA, HR software, etc) to automate evidence collection. This frees up our engineering team to work on harder problems. Vanta also helps us get good information security policies in place.

Lacework helps us meet many security controls with their continuous security monitoring tool. For example, it watches our container workloads for anomalies, not just check static rules.

As mentioned above, the NCC Group did a comprehensive two-week penetration test. This test looked at our tenancy, data security, and SQL compiler.

One of the cool things about working at Observe is getting to dogfood the product. Our own product was a big help in the following areas:

  • Weekly user access audits: Connecting our audit logs to user data in Observe allows us to verify that the right people have access to customer data.
  • Linking production updates to code changes: CI/CD means it’s sometimes hard to keep track of what code was promoted to production. Observe shows the changes to each service, allowing us to follow the path from a pod to Terraform, a pull request, or even git.
  • Triaging vulnerabilities: Like many companies, we use a lot of tools to stay on top of the security posture of our systems. Observe links their results together to give us a bird’s-eye view.

For copies of our SOC2 and penetration test reports, contact your account manager, or email us at hello@observeinc.com.