Security and data privacy have always been a key focus for us at Braze.
All the way back in 2011, when we were building the very first version of our iOS SDK, our company made an explicit decision not to collection the unique universal identifier (UUID) associated with each iOS device, which could be read by applications to track a user across different applications for advertising purposes. Why? It was our belief that an increasing regulated future and a coming sea change of public opinion would increase scrutiny of mobile user data. And sure enough, Apple deprecated the UUID with iOS 5, creating a flurry of challenges for many mobile companies—but not for Braze.
The truth is, our approach to security and data privacy issues has always been deliberate and geared toward the long-term, as evidenced by the approach we took to the EU’s General Data Protection Regulation (GDPR). For more than five years, Braze has hired independent security firms to carry out third-party penetration tests providing external attestation to the security and controls governing the product. Back in 2016, we worked with third party experts on the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to build out a HIPAA-compliance offering of our product, and in 2017, we completed a successful Service Organization Control (SOC) 2 Type 1 examination. All of these efforts are part of our focus on continual, incremental improvements to the Braze approach to security.
And now, after a long and thorough process, I’m proud to share that Braze has successfully completed its SOC 2 Type 2 audit and ISO 27001 certification during the 2018 calendar year. These key new security steps mean that our customers can feel even more confident that we do what we say we do with respect to our security controls.
What is SOC 2?
The SOC 2 standard, which is overseen by the American Institute of Certified Public Accountants (AICPA), sets down compliance requirements in connection with a given company’s security controls, ensuring that firm has established strict information security policies and procedures that cover five Trust Service Principles:
- Processing Integrity
When a company undergoes a SOC 2 audit, it’s asked to outline how its security processes and controls are designed to meet the criteria for a given Trust Service Principle. Then these controls are reviewed by a third-party auditor to assess the suitability of those security controls when it comes to design and operating effectiveness. Ultimately the SOC 2 compliance process is focused on how a given organization addresses information security risks, and how it ensures that proper controls are in place to mitigate those risks to acceptable levels.
The SOC 2 process is a technical audit, where the third-party auditor produces an attestation report describing aspects of the security control of the company. The first part of the audit, known as SOC 2 Type 1, is a so-called “point in time” audit, where the independent auditing firm reviews documentation, systems, and controls in place, and asks for evidence of their current use. If the evidence a company provides demonstrates that they have a suitably designed information security management system, generally they’ll complete the Type 1 audit—you can think of the Type 1 as someone saying, “These security controls look good…and if these security controls are actually used, then I expect the company will acceptably mitigate information risk.”
The SOC 2 Type 2 audit, on the other hand, takes place over a longer period—at least six months. The SOC 2 Type 2 audit period for Braze was January 1, 2018 through June 30, 2018. During this time, Braze staff operated in a normal day-to-day manner that complied with the controls that we’d outlined in the Type 1.
Then in July 2018, an outside auditor came onsite to re-review the description of Braze security controls and requested a random sampling of evidence of those controls’ use over the previous six months to verify adherence. Under this process, the auditor is looking to make sure that what a company says it’s doing reflects what it’s actually doing: “You say all new hires have a criminal background check performed? Give me a list of new hires and I’ll randomly pick a few, and we’ll see if you can provide me with evidence that you did their background checks. You say all code changes are reviewed before being deployed to production? Give me a list of all the code changes from the past months, I’ll pick a few at random, and then I’ll ask you to provide me with evidence of the chain of approval.”
It’s this focus on how a company’s security controls actually operate versus how the company says they operate that makes SOC2 Type 2 such a strong validation of a company’s processes.
What is ISO 27001?
Unlike SOC 2, which is an attestation report that documents security controls, an ISO 27001 certification affirms that an organization has performed a comprehensive assessment of security risks and has created an Information Security Management System (ISMS) that complies with the requirements set out within the International Organization for Standardization (ISO)’s global information security management standard.
An ISMS is a framework and related set of policies and procedures designed to manage an organization’s risk, confidential information, and security approach. ISO 27001 provides an outline of mandatory requirements than an ISMS ought to have, such as controls for physical and environmental security, supplier relationships, access control, human resources security, incident management, and more.
Our ISO 27001 Certification took place during Q4 2018, when a third-party auditor conducted a thorough assessment of Braze to confirm that:
- Braze adheres to its own security policies, objects, and procedures
- The Braze ISMS conforms to all requirements of the ISO 27001 standard
- The Braze ISMS successfully achieves all of the policy objectives set down by Braze in connection with information security management
Following the successful completion of that third-party audit, Braze received an accredited ISO 27001 certification at the end of last year.
Braze is pleased to make both our SOC 2 Type 2 Report, which describes the results of our Type 2 audit, and our ISO 27001 certification available to Braze customers upon request.
We are constantly evaluating security at Braze and looking for additional ways to showcase the high level of commitment to security and data privacy that our company is known for, and our customers have come to expect. As part of that effort, Braze has committed to undergo the SOC 2 Type 2 audit on an annual basis, along with the surveillance audits for ISO 27001 and our regular third-party penetration tests. Future compliance efforts are underway, and we are excited to share them with you in 2019.