Coconut Software’s Commitment to Security: The Road To SOC 2

By Chris Powell - Jun 13, 2019

For as long as we’ve been in business, keeping our customer’s data secure has been our top priority. Without our customers we wouldn’t exist, so protecting that relationship is vital. And considering how important strong data security is in financial services, we’re always looking for ways to bring that security to the next level.

That’s why we decided to pursue SOC 2 certification for security.

Awarded only after a rigorous audit of our System and Organization Controls, SOC 2 covers data security at every level — from our development process, to how our IT team operates, even extending to our HR policies, procedures, and on-boarding. By working to bring each and every aspect of Coconut Software’s security to the highest level, we knew that achieving SOC 2 certification would ensure that we set very high standards for ourselves as a team. And that we work constantly to exceed those standards.

Getting guidance on the process

When we started along the path to certification, we hired a third-party consulting firm to work with our Privacy and Security department to assist with our audit preparation and plan. Specifically, we sought out consultants who were former auditors themselves and had firsthand knowledge of the intricate requirements that go into that final audit. In that way, we would be fully prepared when the auditors arrived.

With our expectations set, we met with several consultancies, and selected Decision Point Advisors out of Vancouver. As much as we wanted to use a local firm, Decision Point made it clear that they would go above and beyond to make sure we were as comfortable as possible throughout the entire process.

Determining a principle and moving forward

As most familiar with SOC 2 (Service Organization Control 2) know, an audit can cover any of the following five trust principles – Security, Availability, Processing Integrity, Confidentiality, and Privacy. So our next big decision was determining which principle we wanted to concentrate on for our audit. Taking into account the fact that Coconut Software is a young company going through our first SOC 2 audit, along with an approaching deadline for completion from a potential client, we decided that our first SOC 2 certification would be for the Security trust principle, and we would add the other relevant principles in time. By doing so, we could ensure our customers that from the day their account is created, we do everything within our power to secure that data.

Prior to bringing Decision Point in, we already knew that our security program was robust. We followed best practices and recommendations, and had been told more than once that it was surprising that a company of our size had a dedicated Privacy and Security Department. But we were constantly working to improve it. So even before they came in, we started putting our practices and procedures on paper as policy drafts. From there, with Decision Point’s guidance, we settled on wording that would preserve our good practices, set standards for those that needed to be improved, and ended a few less optimized practices. Finally, with their expert assistance, we codified our existing practices and procedures into a formal policy suite.

Preparing for the SOC 2 audit

As mentioned before, preparations meant taking our practices and procedures and codifying them into a suite of policies and procedures that dictate how we operate. But of course, ensuring this was done properly meant more than that.

It meant that our development team had to work together to document the code lifecycle, from start to finish — from design to release.

It meant that our IT team had to break our departments into tiers and decide what data they each have access to based on a least possible permissions principle.

It meant that our HR team had to have a set of policies and procedures to dictate the recruiting, hiring, and on-boarding process for all new staff.

No one is exempt. There are no breaks from protecting the data that we are entrusted with. As frustrating as the policies might be to follow, they are there for a reason, and EVERYONE follows them.

That isn’t all though. Along with securing the data of our customers, it also means that we protect our own private data to the same degree. All of the work that we do to protect our customers data (and by extension, their customers data), we do the same for our own.

Bringing in the auditors

After several months of working with Decision Point, we enlisted Deloitte, LLP to perform our audit. This meant several weeks of emails and phone calls to set out the scope, expectations, schedule, and everything else involved.

When the day of the audit came, we had been working towards our certification for nearly a year, and since this in an annual certification process, it means we will never stop preparing for it. The same policies, practices and improvements that went into getting ready to receive certification this year will be carried over and fine-tuned constantly in preparation for next year’s audit, and the next year’s, and the next, ensuring that we always provide the highest level of protection for our customer’s data.

The auditor was here for several days, conducting interviews, scouring policies, and requesting documented evidence that we were actually following the policies and procedures we’d worked so hard on.

Coconut Software is Proudly SOC 2 Certified

In the end, all the hard work paid off and we received our certification, and we are proud to talk about it. It really was a labor of love that extended to every level of Coconut Software, and we did it all for you and your customers.

We take security seriously.
Always have, always will.
And this certification proves it.


Looking to boost revenue and deliver a premium experience to your clients?

Schedule a consultation with Coconut Software to learn more about how our appointment scheduling solutions can get you there.