Being a provider of Unified APIs, Apideck processes tons of information on behalf of its customers, wether that’s customer information passing through our CRM API, employee information through our HRIS API, accounting data through our Accounting API or any of the multiple different Unified APIs we offer to our customers.
In order to uphold the highest privacy and security standards, Apideck processes all this information as if it were Personally Identifiable Information (PII). This type of information requires the highest security standards and is treated separately under the GDPR and CCPA privacy regulations. We have developed rigorous policies and processes to make sure this data is handled securely and privately along every step of the way.
What is SOC 2?
To be able to demonstrate its compliance to the highest industry standards, Apideck has its policies and processes audited on a yearly basis according to the SOC 2 Type 2 standard. SOC 2 is a security framework that specifies how organizations should protect customer data from unauthorized access, security incidents, and other vulnerabilities. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 around five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
There are two types of SOC 2 compliancy. Type 1 evaluates and organization’s cybersecurity controls at a single point in time, whereas Type 2 evaluates systems and controls over a period of time (typically 3 to 12 months).
What is in the report?
The goal of our SOC 2 Type 2 report is to assure our customers that:
- we have put the necessary processes and controls in place to ensure the highest standards around data security and privacy;
- as a result of the above, their data is safe with us;
- our security measures are evaluated by an independent third party on an annually recurring basis.
While, at 47 pages, the report itself is quite beefy. Here is some high-level information on what it contains:
- An assertion from the management team that all information provided in the report is correct and up-to-date.
- A report by the Independent Service Auditor that describes the scope, as well as the responsibilities of the auditor and the service organization.
- A description of the systems and services, including the various security measures taken by Apideck as well as any third parties that we rely on.
- A description of various processes and policies we implemented for systems and people as well as categorization of the different types of data we process, including Information on how we deal with risks, emergencies and security incidents.
- A report on the results of the tests performed by the auditor related to our operating effectiveness, including information on the methodology used.
Apideck takes security of your data seriously. Where possible, we do not store any data we don’t need. In cases were we need to store data, we’ve designed processes and policies to assure the highest industry standards regarding the safeguarding of that data. We have these controls audited on a yearly basis by an independent auditor to ensure compliance.
- If you’d like to know more about our security measures, check out our Security Measures page
- If you’d like more detailed information about our Data Processing standards (incl. GDPR compliance), check out our Data Processing Agreement
- If you’re a customer who’d like access to the full SOC2 report, please contact us. We require a signed NDA before disclosing the report (in accordance with AICPA standards).