What does it mean when a SaaS provider such as CROSStrax™ possesses SOC 2 Type II certification?

It means that the SaaS provider has…

  • had a CPA firm, with specific domain expertise in this area, put the SaaS platform through a comprehensive array of testing in areas such as security, availability, confidentiality, system integrity and controls
  • made a significant commitment of resources and energy to demonstrate this compliance


It also means that…

  • they passed the audit testing and that the CPA Firm is comfortable awarding them the designation as being “SOC 2 Type II Certified
  • they did more than just represent that their platform has controls… they proved it and in doing so, demonstrated their commitment to security and controls to protect their clients


It is important to differentiate the above with some occasional misperceptions…

  • having the software engine that HOUSES a SaaS provider being compliant does NOT mean that the SaaS provider themselves is compliant
  • having the SaaS provider represent they have all the requisite controls when they have NOT been audited by an accredited CPA Firm would not equate to “Soc 2 Type II certified”


Ultimately, although a “certified” designation benefits the SaaS provider, more importantly and the good news is that it helps any firm that uses the platform as their operating system.  They can now represent to their clients that their operating system is in fact SOC 2 Type II certified.  That will enhance their marketing efforts, reputation and peace of mind.  Their data is secure.


It is important to understand the difference…as rest assured many of your customers, particularly the larger ones, will know the difference.

For more information on SOC 2 Type II security and controls please visit https://www.netgainit.com/soc-2-type-ii-certification-defined/