update Security docs that we are soc2type2 compliant #15759
Conversation
github-actions
bot
added
the
area/documentation
docs/project-overview/security.md
Outdated
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| ## Data Security | |||
|
|
|||
| Airbyte provides a secure environment for customers and users that protects all user data following industry standard practices. From day 1, we have designed and adapted our product with security as a part of the foundation. We are currently completing the SOC2 (Type 2) data compliance certification and will undergo an independent review annually. | |||
| Airbyte provides a secure environment for customers and users that protects all user data following industry standard practices. From day 1, we have designed and adapted our product with security as a part of the foundation. We are [now SOC2 (Type 2) certified](https://www.businesswire.com/news/home/20220707005117/en/Following-In-Depth-Independent-Audit-Airbyte-Receives-Clean-SOC-2-Type-2-Report) and will undergo an independent review annually. | |||
There was a problem hiding this comment.
I think this wording is probably fine because most people that know about SOC2 have some idea of what SOC2 certified means.
I guess if we want to be real pedantic though we would not say certified because SOC2 is not actually a certification but an attestation.
So using the official language we'd say something like
We received a clean opinion on our SOC2 (Type 2) attestation
but I think that is much more verbose and might actually be more confusing to an audience that is less aware of the technical distinction between certifications and attestations.
So in conclusion I think saying certified is probably fine. I'm open to whichever you think makes the most sense for our intended audience.
(Article about SOC report opinions if you want a pedantic description 😄 https://linfordco.com/blog/reasonable-assurance-and-soc-report-opinions/)
There was a problem hiding this comment.
Actually @Amruta-Ranade has some better phrasing suggested by our vCISO
“Completed SOC2 Type 2 assessment completed by independent third-party and found Effective controls in place and they’re operating effectively”
Let's use this instead
* update Security docs that we are soc2type2 compliant * Rephrasing SOC2 content Co-authored-by: Amruta Ranade <11484018+Amruta-Ranade@users.noreply.github.com>
What
update Security docs that we are soc2type2 compliant