Why Lupl Chose to Pursue SOC 2 Compliance in its First Year
We are excited to announce that Lupl recently completed its SOC 2 Type I audit – just a few months after its commercial launch. SOC 2 is an international gold standard for security and requires a significant cost and time commitment to obtain, so it’s no surprise that few early-stage startups prioritize in such a certification so early in their journey. So why did we choose to subject ourselves to third-party scrutiny at a time of rapid growth and change?
One word: Trust.
Trust is a Core Value for Lupl
If you’re not among the thousands of legal professionals using Lupl today, you might wonder why trust is so important to our company. Lupl is a secure legal collaboration platform that makes it easy for everyone to work together on legal matters within and between organizations. It combines powerful native communication, collaboration, and legal project management functionality with the ability to plug and play with your own tools and systems. Among our clients are some of the largest law firms and corporations who manage their clients’ and customers’ most sensitive and personal information, making platforms that support legal prime attack vectors. In fact, according to the American Bar Association, about 80% of the largest law firms have experienced some sort of cybersecurity violation.
So frequently, we’re told we must trade innovation, utility, and convenience in the pursuit of information security. We just don’t believe that’s true. That’s why we built Lupl with Privacy by Design principles at its core, which says that, “When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.” We believe it’s not only possible, but also our obligation,
to deliver a platform with the full functionality you need without sacrificing privacy and security.
This is precisely why we’ve committed so much time and budget to privacy and security. We’ve baked security into our software deployment process and regularly subject our systems to third-party penetration testing. Our corporate IT environment is more aligned to a large corporation than a startup, and we’ve recently employed a Security Operations Center that ensures we have people and technology detecting and responding to threats 24 hours a day, every day.
Security is Never ‘Done’
At Lupl, security is never done. Before turning our efforts to our SOC 2 Type 1 examination, we completed the Level 1 self-attestation via Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) Registry, to make it easy for current and potential customers to evaluate our security and compliance posture. You can access our self-assessment in the publicly available STAR registry here.
So, what’s next for Lupl’s Security team? We’ve already entered the audit period for our SOC 2 Type 2 examination, which will review how we deliver upon SOC 2’s trust principles over the course of the next six months. We also asked our auditors to map our policies and procedures to HIPAA standards as a part of their SOC 2 Type 1 audit and are happy to report that our path to compliance is clear. Later this year, we’ll seek the ISO/IEC 27001 certification for information technology security techniques governed by the International Organization for Standardization. And, in 2023, we’ll focus on attaining the Cloud Security Alliance’s STAR Level 2 certification, which builds on other industry certifications and standards to make them specific for the cloud.
About SOC 2 Compliance
SOC 2 is the second of three Service Organization Control (SOC) reports standardized by the American Institute of Certified Public Accountants in 2010. Its purpose is simple – to ensure a service provider’s systems are set up to ensure the security, availability, processing integrity, confidentiality, and privacy of customer data. Companies seeking SOC 2 compliance subject themselves, their policies, and practices to third-party review. Independent auditors have full access to any and all detail about the organization undergoing review – everything from Board membership to hiring practices to how access to data is managed and controlled. SOC 2 Type 1 examination evaluates an organization’s security controls at a single point in time, whereas SOC 2 Type 2 examines how well a company’s controls perform over a period of time. The process often takes six to 12 months and requires tens of thousands of dollars of investment.
If you’d like to learn more about privacy and security at Lupl, get in touch today.