Why SOC 2 Type 1 makes Setapp better for all users

We use apps for everything now, from managing personal finances to collaborating on projects with coworkers. Given that most apps store and process data in the cloud rather than our own machines, we want to make sure they are secure and trustworthy. 

That’s why the American Institute of Certified Public Accountants (AICPA) came up with the SOC 2 (system and organization controls) reporting framework that measures how well a service organization controls security and manages data. 

We’re happy to announce that Setapp has officially passed the SOC 2 Type 1 audit! 

The Setapp security team has done a great job over the past year working closely with an auditor to make sure that every process aligns with SOC requirements. As a result, Setapp is now fully compliant with widely used SOC 2 Type 1 criteria.Oleksandr Kosovan, Setapp CEO

So what is SOC 2 Type 1 exactly? Why did we decide to get it and what went into that process?

What is SOC 2 Type 1? 

The American Institute of Certified Public Accountants designed SOC as a predefined list of standards to solve a prevailing problem — how does a SaaS (software as a service) company instantly prove to its customers that it has strict and secure data management procedures in place? 

Before SOC, companies had to manually collect evidence of secure procedures for every request. With SOC, anyone entrusting data to third-party vendors can be sure of its safety. 

There are three categories of SOC:

• SOC 1 verifies control over financial reporting

• SOC 2 audits data controls for service companies

• SOC 3 is similar to SOC 2, but while SOC 2 and SOC 1 are designed for professionals, SOC 3 is less specific and accessible to a more general audience

SOC 2, in turn, is further divided into Type 1 and Type 2: 

• Type 1 tests the security controls of an organization at a certain point in time

• Type 2 monitors specific controls over a given period of time (anywhere from three to 12 months)

SOC reports are unique for every company and generally evaluate agreed-upon controls across five categories: security, availability, confidentiality, processing integrity, and privacy. Setapp got its SOC 2 Type 1 report in the security category. 

Why did Setapp pursue SOC 2 Type 1?

Obtaining SOC 2 takes a non-trivial amount of effort and is completely voluntary (unlike HIPAA, for example). So why did Setapp do it? 

Information security is a growing concern not only for SaaS companies but also their customers. All organizations using third-party vendors want to make sure that their data is in good hands and not vulnerable to attacks. 

At Setapp, our security practices have always been in line with cutting-edge industry standards. However, proving that to our customers who had specific needs around security was always a manual and time-consuming process. 
The SOC 2 Type 1 attestation provides evidence of multiple security protocols, showing that Setapp meets strict data security requirements, as verified by an independent auditor.Mykola Srebniuk, Head of Information Security at MacPaw

How SOC 2 Type 1 benefits all users

Even though completing SOC 2 Type 1 involved lots of documentation, process adjustments, and took the better part of 2021, it was still worth it for all the peace of mind we were able to deliver to our users. So what does SOC 2 Type 1 mean for you? 

1. Your data is secure

The most important takeaway from Setapp receiving SOC 2 Type 1 accreditation is that all users can now be sure that Setapp’s data management processes have been verified to meet widely accepted international standards. 

2. Your interests are represented by an auditor

To test all the criteria required by SOC 2 Type 1, we worked with Boulay Group, an independent, third-party auditor. Their team assessed every Setapp claim and confirmed its validity. Now Setapp is required to keep those processes in place for future re-assessments. 

3. Your company has less paperwork

If you’re a prospective Setapp for Teams customer and have an extensive third-party vendor approval in place, SOC 2 Type 1 should satisfy most of the security requirements. This means your team can start using Setapp even sooner!

What are the next steps?

It’s safe to say that, after getting SOC 2 Type 1, Setapp is not stopping in its commitment to be the most trusted vendor in the Apple ecosystem.

At the moment, we’re preparing to apply for a very rigorous and well-known standard called ISO/IEC 27001, which would cover information security not only for Setapp but also other products in the MacPaw family. We’ll come back with an update soon!