November 2, 2022

iProov is proud to be the world’s most validated provider of biometric face authentication and liveness detection. We work with some of the most security-conscious organizations in the world; to do so, we work diligently to meet numerous stringent conformance and certification processes that uphold the security, privacy, and performance of our technology.

This means that our users can be sure iProov delivers the highest possible standards of security and privacy.

SOC 2 is an internationally recognized standard that ensures appropriate and robust controls are in place to manage customer data activity in a cloud-hosted environment.

SOC 2 Type II certification highlights iProov’s dedication to assuring the confidentiality and privacy of the information processed by our systems. It also further validates trust in our business and processes – as certified by separate, independent third parties.

In this article, we’ll explain:

  • Exactly what SOC 2 certification means
  • Why SOC 2 certification is important
  • The difference between SOC 2 and various other certifications
  • What organizations need to comply with SOC, and why it matters for your organization.

What is SOC 2 certification?

System and Organization Controls (SOC) is a standard developed by the American Institute of Certified Public Accountants (AICPA). SOC aims to certify trust and confidence in the systems that it audits, and asserts an organization’s dedication to protecting customer data and privacy.

The Service Organization 2 (SOC 2) certification means that we have passed rigorous audits of our security, data management, and operational procedures. SOC 2 is subject to an annual accreditation process – this means that our ability to securely manage non-financial data to protect organizations’ interests and their users’ privacy is assessed on an ongoing basis.

To achieve SOC 2 certification, organizations must implement controls on:

  • System monitoring
  • Data breach alerts
  • Audit procedures
  • Forensics

How and why did iProov achieve SOC 2 certification?

iProov is a cloud-based biometric technology provider. Service organizations that operate in the cloud gain SOC 2 certification in order to assure partners and customers that their data collection and storage processes are transparent. SOC 2 certification proves the organization is comfortable having its approach scrutinized and challenged by external auditors.

iProov passed the testing with no exceptions. We were found to follow defined processes that manage and approve changes to the platform.

Who needs SOC 2 compliance?

SOC 2 certification is not mandatory. However, any organization that operates in a cloud environment can choose to show that its technology stands up to external audits and scrutiny while safeguarding customer data.

Companies that use cloud service providers can (and should) ask for proof of SOC 2 certification in order to gather reassurance of the risks of the technology services they’re working with.

ISO 27001 vs SOC 2

Like SOC 2, ISO 27001 specifies certain standards for how an organization manages security, confidentiality, and processing integrity of customer data.

The difference is that ISO 27001 provides a framework for data management and verifies that a functioning ISMS (information security management system) is in place. SOC 2, on the other hand, focuses on the specifics of how data security controls have been implemented.

iProov is ISO 27001 compliant and maintains this status continuously with annual audits. Importantly, the ISO certification scope covers the whole company, including all of the products and services it provides, controlled from iProov headquarters.

So, iProov is compliant with both – along with a host of other stringent regulations. This includes, but is not limited to: iRAP, IP3, eIDAS En 319 401, iBeta Level 1 and Level 2, ISO/IEC 30107-3, and ISO/IEC 19795-1:2006. Read more about our Governance here.

SOC 1 vs SOC 2

SOC 2 differs from SOC 1. With SOC 1, the focus is on financial reporting and controls, whereas SOC 2 assesses non-financial controls – namely compliance with the Trust Service Principles (availability, security, processing integrity, confidentiality, and privacy).

Additionally, SOC 2 reports come in two forms, Type I and Type II.

Type I: Assesses the design of security processes at one specific point in time.

Type II: Assesses how adequate those controls are by observing operations over a minimum period of six months.

iProov is SOC 2 Type II certified, having undergone the most rigorous auditing procedure.

SOC 3 is a variation of SOC 2 and contains the same information as SOC 2, but it’s presented for a general audience rather than an informed one.

iProov and SOC 2 Type II: a summary

  • Service Organization Control 2 (SOC 2) is a set of standards that assess how an organization handles customer data and security. It is based on the five trust principles: security, availability, processing integrity, confidentiality, and privacy.
  • iProov is fully conformant with SOC 2 Type II. No exceptions were found when we were audited. Our systems are certified to operate on the least trust principle.
  • SOC 2 Type II is the most rigorous of the 3 SOCs and assesses the non-financial controls of an organization by observing operations over a minimum period of six months.
  • This certification, in addition to our existing certifications, provides our partners, customers, and future customers with the assurance that their data and users’ data is safeguarded properly by iProov.
  • A copy of the certification is available to our customers upon request.

If you’d like to learn more about how iProov can help your organization to securely verify customer identity online using face biometrics, book your demo today.