LenderDock recently passed the SOC 2® Type 2 Examination. So, what does this really mean for you?
What is the SOC 2 Type II report?
It is a report on the suitability of the design and operating effectiveness of the controls used on our primary systems, supportive system components, and business processes that warrant our principal service. It also provides assurance to external parties with respect to the security and availability of the systems that validate LenderDock’s lienholder process automation and the confidentiality of the information that is processed by these systems.
How is LenderDock’s SOC 2 certification measured?
The certification is issued through outside auditors. They measure the ability that LenderDock has demonstrated in following five core trust principles, which are broken down as follows:
This section of certification refers to the protection of system resources against unwanted and unauthorized access. Access controls help prevent abuse of the system, unauthorized removal or changing of data, theft, and software misuse.
Security tools used or installed by the IT department (e.g., web application firewalls, intrusion alerts, two-factor authorization) are helpful in preventing breaches that can lead to unauthorized access to company data and systems.
This principle refers to how accessible the system is, as well as the products and services that are stipulated in a contract or SLA (service legal agreement). The base acceptable performance level for the system’s availability is set by both parties.
While this principle does not include system usability or functionality, it does involve security-related items that could affect availability.
3. Processing Integrity
Processing integrity addresses if a system succeeds in its purpose (e.g., delivering data at the correct time). The data processing must be complete, timely, valid, accurate, and authorized.
Data is labeled as confidential if its disclosure and access is restricted to specific personnel or organizations. Examples include business plans, intellectual property, company finances, and other types of sensitive information.
Encryption is important for the protection of confidential information during transmission. Both application and network firewalls and rigorous access controls can be used to safeguard company information that is being stored or processed on computer systems.
The privacy section addresses the system’s ability to collect, use, retain, disclose, and dispose of personal information in compliance with LenderDock’s privacy notice, as well as the criteria set forth in the AICPA’s generally accepted privacy principles, also known as GAPP.
Personally identifiable information (PII) is information that can distinguish an individual (e.g., SSN, address, name). Some personal data related to sexuality, religion, health, and race is also considered sensitive and requires extra levels of security. Controls are required to protect all PII from unauthorized access.
Significance of SOC 2
SOC 2 audits are rigid, and SOC 2 Type 2 reports are attested per the SSAE-18 standards published by AICPA. The SOC 2 framework includes the 17 principles of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, along with supplemental controls. LenderDock’s use of security controls aligns with the COSO principles and the supplemental controls.
What this means for you
LenderDock has put in place monitoring of the health of these systems by automating most areas and has a dedicated team that oversees the performance.
In other words, your data is secure, and your process is simplified using LenderDock’s services.