Excalidraw+ Is Now SoC 2 Certified

Summary

TL;DR: Our SOC 2 JourneyWe got tired of endless security questionnaires, so we got SOC 2 certified to make things smoother for everyone.The process:Used Vanta to connect our services and fix compliance gapsWrote a ton of policies Implemented zero-trust production accessUpgraded our tech stack (Nx, Infisical, monitoring, VPN, etc.)Did penetration testingEvaluated all vendorsResult: Passed SOC 2 Type I 🎉In progress: Type IINext: maybe GDPR, maybe ISO 27001 (depends on demand)Most of the security stuff we were already doing, SOC 2 just forced us to write it down officially. Why SOC 2At some point, every company reaches the phase where "we promise we're doing things securely" just doesn't cut it anymore. We were getting tired of filling out endless security questionnaires, the kind of stuff that can easily live in a proper trust center.It's one thing to say, "We use MFA, we encrypt stuff, we care about your data," but it hits different when a third party auditor confirms we're actually doing it by the book.And since our team is still fairly small, we figured it was the right time to get our practices locked in early.If you're wondering how SOC 2 works or planning to get certified yourself, this post aims to shed some light.What is SOC 2?SOC 2 is a security and compliance framework created by the AICPA. It defines how companies should handle customer data using five criteria: security, availability, processing integrity, confidentiality, and privacy.There are other frameworks, such as ISO 27001, and in the long run, it pays out to get that one too, depending on what your customer base is, but starting with SOC 2 is never a bad idea. It's widely recognized by US companies, less complex than ISO 27001, and builds a solid security foundation to build upon. There are two flavors of SOC 2: SOC 2 Type I checks that your systems and policies exist at a point in time. Basically, whether you have the right setup. SOC 2 Type II looks at whether those policies work over time. Think...