IRIS CRM Receives SOC 2 Type 2 Certification

IRIS CRM is proud to announce that after a thorough, months-long audit completed by Assure Professional, we have received our SOC 2 Type 2 Certification! Completion of the audit certifies that IRIS CRM meets the security standards established by the AICPA.

Merchant services providers using IRIS CRM will benefit from our certification by being able to meet more stringent security requirements of potential partners, especially banks, who often require SOC 2 compliance in addition to PCI level 1 compliance. 

IRIS CRM’s certification removes the time and cost associated with the audit process for organizations that don’t require additional systems audited and reduces the audit scope for organizations going through the certification process.

SOC 2 compliance is yet another way that IRIS CRM demonstrates our commitment to the security of sensitive data within our software. The audit will be completed on an annual basis to ensure that IRIS CRM is maintaining industry and technology best practices to preserve the integrity of sensitive data.

Interested in learning more about IRIS CRM? Schedule a demo today!

What is SOC 2 Compliance?

Service Organization Controls (SOC) reports were developed by the American Institute of CPAs (AICPA) specifically for service providers storing data in the cloud to define the criteria for managing customer data based on five “trusted service principles”.¹  The 5 principles are:

1. Security – The system is protected against unauthorized access (physical and logical).
2. Availability – The system is available for operation and use as committed or agreed upon.
3. Processing Integrity – System processing is complete, accurate, timely, and authorized.
4. Confidentiality – Information designated as confidential is protected as committed or agreed upon. 
5. Privacy – Personal information is collected, used, retained, and disclosed, and/or destroyed in accordance with established standards.²

There are two types of SOC reports – Type 1 and Type 2. Type 1 describes a vendor’s systems and whether their design is suitable to meet relevant trust principles. Type 2 details the operational effectiveness of those systems. 

The focus of SOC 2 is putting in place clear, well-defined policies and procedures across the organization in order to truly protect sensitive customer data – not just to check all of the compliance checkboxes. Type 2 audits require long-term, ongoing internal practices that will ensure the security of customer information.³ 

1.”SOC 2” Compliance”, Imperva, July 30, 2021, https://www.imperva.com/learn/data-security/soc-2-compliance/.
2.”SOC 2 Audit Reports”, Assure Professional, July 30, 2021, https://assureprofessional.com/Services/SOC-2-And-SOC-3-Audit.
3. Moore, Mark, “4 Thing You Need to Know About SOC 2 Compliance”, Threat Stack, July 30, 2021, https://www.threatstack.com/blog/not-soc-2-compliant-4-reasons-your-customers-wont-work-with-you.