SOC that SaaS: How to Know if Your Business Software is Secure and Trustworthy

Bradley Wedding   February 09, 2017  

When you’re shopping for business software-as-a-service (SaaS), how do you know if a vendor can keep your data secure? You want to believe the salesperson’s claims about security, but you can’t risk being the next high-profile hacking victim. Rather than take security claims at face value, ask for a Service Organization Control (SOC) Report.

A SOC audit investigates how software providers operate. It can reveal how securely they build, test, deploy, manage, and operate their platforms. It also documents how they manage data privacy in their human resources departments, physical offices, and other environments in which information is vulnerable. 

At Talent Rover, we recently received our first SOC 2 report. As a company founded and operated by staffing and recruitment veterans, we know how serious data privacy is in the industry. We pride ourselves on creating enterprise-grade SaaS while maintaining security controls that go above and beyond the norm.  

Not all SOC Reports tell the same story. As a buyer, you need to a) determine which SOC audit the vendor underwent and b) interpret the results. There are two types of SOC 2 compliance audits that both focus on controls for SaaS operations:

  • SOC 2 Type 1 is a point-in-time audit. It simply verifies that the vendor has effective controls in place.  
  • SOC 2 Type 2 audits are conducted over a 3 to 12-month period. They ensure that SaaS vendors consistently perform their security controls. The auditors also assess how well each control addresses SOC’s Trust Services Principles and Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Thus, SOC 2 Type 2 answers the toughest questions: How would the vendor actually handle and protect your data? How would its team ensure uptime and performance?

SOC 2 Type 2 could, for instance, confirm that the company runs disaster recovery tabletop exercises on a monthly basis and conducts access reviews to ensure single sign on. It could also verify that the company enforces strong password and network polices and removes terminated employee access within 24 hours.  

When you read a SOC 2 Type 2 Report, look for the list of exceptions, which are controls that were not in compliance during the audit window. The number of exceptions is a barometer for how well a vendor has delivered on the Trust Services Principles and Criteria.

We’re pleased to report that zero exceptions were found during Talent Rover’s SOC 2 Type 2 audit. We took all measures necessary to exemplify SOC 2’s core principle: Trust. For more information, please visit our website or contact