Platform Updates

Safeheron Achieves SOC 2 Type II Certification, Data Security System Further Recognized

By Safeheron Team - 2023-10-24

Safeheron, an open-source digital asset MPC self-custody solution provider, announces the attainment of SOC 2 Type II certification for data security and privacy standards. The achievement provided by Deloitte, a leading global provider of audit and related services, verified if the design and implementation of security processes and controls are in line with compliance, evaluating the effectiveness of Safeheron's security system, controls, etc. over time.

Attaining the SOC 2 Type II certification further demonstrates Safeheron's capabilities in transparency, security reliability, and its commitment to safeguard user data security and privacy. Safeheron ensures the protection of customer data from unauthorized access, maintaining system security, user information confidentiality, and privacy.

Q & A

What is evaluated by SOC 2 Type I and Type II certification respectively?

SOC 2 Type I Report: The Type I report primarily focuses on a one-time assessment of the effectiveness of an organization's information security controls. This report covers only a specific point in time, usually an audit date, to verify whether the security controls comply with the SOC 2 criteria at that point, providing information on whether the organization's information security controls are well-designed and can be implemented properly.

SOC 2 Type II Report: The Type II report covers a longer audit period, requiring not only verification of the design and existence of information security controls but also evaluation of the effectiveness of these controls during the audit period. This means that auditors will conduct continuous monitoring and testing throughout the audit period to ensure the security controls can effectively protect customer data continuously.

What is the process of SOC 2 Type II audit?

Safeheron's SOC 2 Type II audit adopts an on-site auditing approach.

The SOC 2 examination includes inquiry, observation, inspection, and re-performance. During the SOC 2 Type II audit, the controls are evaluated from the perspectives of control design, implementation, and operational effectiveness during the testing period. Safeheron will provide evidence during the audit period and accept random inspections. Deloitte conducts sampling based on the guidelines of AICPA and the requirements of SSAE 18, evaluating the effectiveness of operating controls.

What preparations has Safeheron made for the SOC 2 Type II audit?

Safeheron’s Chief Information Security Officer (CISO) and his team have built a security control system that meets SOC 2 criteria through gap assessment, risk assessment, the regulation of relevant policy processes, and other measures.

SOC 2 Type II audit verifies Safeheron's sustained effectiveness in the security control system.

What Safeheron Has Prepared

  • Safeheron implemented security controls, ensuring that all employee devices are correctly installed with data leak prevention tools and antivirus software, and utilized endpoint management software to control the scope of software installation. The system autonomously deletes software that is not on the whitelist.
  • Safeheron standardized company management and processes, such as drafting comprehensive security policy documents, regularly conducting risk management and compliance assessments, and enforcing strict security requirements and compliance standards with vendors and partners.
  • Safeheron regularly conducts employee training and records the training and its effectiveness. Training covers the company’s security policies, processes, security controls, risk identification, and emergency response, as well as the relevant requirements and criteria of SOC 2 audit, ensuring the long-term effectiveness of Safeheron's security control system.
  • Safeheron's security team reviews and updates all internal security regulations and systems, ensuring a comprehensive audit is carried out before they can take effect.
  • Safeheron executed disaster live-action drills and reviews on a full scale, such as missing key system managers, core disaster backup data recovery, core sensitive data backup and recovery, etc.
  • Safeheron established strict document management and record retention processes, organizing and archiving various records and related documents, and regularly conducting internal audits to ensure that everything is documented, providing the necessary proof during external audits.

What challenges are typically faced during a SOC 2 Type II audit? What problems did Safeheron encounter in this process, and how were they resolved?

SOC 2, as a universally recognized gold standard for the internal information security control system for enterprises, its criteria evaluation and audit also apply to the burgeoning blockchain security industry.

However, blockchain security practitioners first need to assist auditors in understanding their own business and technology adoption, such as Safeheron assisting auditors comprehensively in understanding blockchain security, its technology adoption, and business development, in the early stages of SOC 2 audit, alongside Safeheron's own business development and technological adoption.

Such as

  • Differences between blockchain security and traditional industry security.
  • How Safeheron delves into blockchain security.
  • How Safeheron employs proprietary MPC+TEE technology to secure user assets.
  • How Safeheron's self-custody services and wallet-building services for institutional clients ensure client business security while facilitating client business development.

For companies undergoing SOC 2 Type II audit, who have already established a security control system conforming to criteria during the SOC 2 Type I audit, challenges may include the following:

Compliance Operation During preparation, companies may need to adjust and improve their existing security controls to ensure compliance with SOC 2 criteria and effective operation. This might require redesigning security processes and allocating more resources to implement new controls.
Document Record and Retention SOC 2 Type II audit requires the preparation and maintenance of a large number of documents and records to demonstrate compliance. Companies need to have strict and complete document management and record retention processes to provide necessary evidence during the audit process.
Security Culture Security control systems require personnel for implementation, meaning companies need to build and enhance their internal security culture. Proper organization of employee training and awareness-raising activities ensures that employees understand and comply with the company’s security policies and processes, actively participating in the execution and adherence to security controls.

Safeheron has been building and continuously improving its internal security system since its inception. Advancing SOC2 Type II certification has also helped us to identify and fill gaps, optimize existing measures, customize the required security designs as per the situation, and continuously verify the effective implementation of internal security measures.

For more information about SOC 2 certification, you can browse through

Conclusion

Achieving SOC 2 Type II certification is not only a high recognition of Safeheron's always-practiced data security system but also a best practice in continuously optimizing existing security management and data protection systems.

Our proprietary MPC+TEE self-custody security technology effectively encrypts and protects user data and privacy from unauthorized access and tampering, accompanied by comprehensive security measures, and continuous optimization, achieving a highly feasible and highly reliable internal security system through "Technology + Compliance". The SOC 2 Type II certification is now a robust testament to Safeheron's comprehensive, continuous, and effective maintenance of system security, user information confidentiality, and privacy.

Safeheron will not stop here; we will continue to impose high-standard requirements on ourselves, continually advancing industry-recognized security compliance certification and implementing reliable security measures. By integrating knowledge with action, Safeheron ensures to provide safer and more reliable digital asset self-custody services for all users.