There's one phrase that we keep repeating through our external and internal communication - Security isn't an afterthought for us. And we want to walk that talk. Even before we released our pre-seed funding news and onboarded our first customer from the Alpha cohort, we were already under audit for SOC 2 Type 1 certification. Almost unheard of for a company our age and stage.
Why SOC 2?
We have companies from India, SEA, and the US - all at different stages of scale. We knew we had to put security as a top priority even on Day 0.
We had our set of queries. As we started to give the idea of Kula, the shape of a product, we knew it will cater to companies of all shapes and sizes, across the globe. We understood that the security concerns will crop up, and will be varied in nature. When we first began exploring the SOC 2 compliance we talked to ex-colleagues, our investors, several founders, and CTOs, just to get a feeler of how the process went for them, and to understand the endeavor we were to undertake.
Contrary to the popular notion, SOC 2 isn't a certification. It is indeed an attestation report that is issued by the AICPA to declare whether they agree to the privacy and security declarations by the vendor (in this case, Kula).
SOC (System and Organization Controls) is an American standard that belongs to AICPA (the American CPA association). If your target market is the US, SOC will help ensure that your product and service meets the security and availability standards of the US market.
In short, it will check a lot of boxes and jump over a lot of hoops in the evaluation process.
SOC 2 has a couple of sub-categories as well:
Type 1: policies are defined and documented, and the audit is conducted at a single point in time.
Type 2: policies are defined and documented and are then verified by a third party over a period of time
What did we do to obtain SOC 2 Type I and II certifications for Kula?
We spent the initial few weeks writing policy documents, procedures and various security controls which helped influence the product designing and development process. SOC 2 in fact guided and pushed us to take the right path. Being a startup we have to balance both feature development and security and I wouldn't hesitate to say that the certification has helped Kula improve our security front.
Once we had the requisites in place, we first procured the SOC 2 Type 1 certification. A few months later, the SOC compliance team conducted rigorous audits and verified the requisites before announcing us Type II certified concluding our overall SOC compliance.
Being a small team meant we needed someone to choose SOC 2 time over coding time. Not an easy choice to make. Working on compliance is not fun - not by the farthest definition of the word. So we had to make the whole thing fast. We chose to partner with Drata to make the process more seamless and quick. And it did come through. Being a small team also helped. Being small meant, less process, less procrastination, and more action.
What does this mean for customers of Kula?
SOC 2 Type 1 and 2 certification is a proof that Kula prioritizes safety and security of the customers at all times. Our tech is guided by strict policies that assure data privacy and protection, cloud security, business continuity, and regular vulnerability testing that safeguards our customers. All of this directs to one thing: customers can fully trust our tech, and continue to hire effortlessly and worry-free using Kula.
Should you go for SOC 2, this early in your company lifecycle?
Ironically, yes. Earlier the better. If you have a spread-out base of target or existing customers, it will help you ease out a lot of conversations during the sales and implementation process. Our conversations with large customers like GoJek and Wise were considerably smooth.
What's next for Kula?
SOC 2 is a massive achievement for us. And we will cherish it. But as we said, security is baked into our tech culture and SOC 2 is the first of many. We measure ourselves against the highest security benchmarks in SaaS and we will make sure we strive for it continuously. Would love to continue the discussion on this and other cool things we're doing in tech @ Kula. Drop us a message on our LinkedIn or Twitter.