A 1Password Journey Through SOC2
by Pilar García on
A while ago, we decided it was time for 1Password to become SOC2 certified… Don't worry, we aren't designing socks. Protecting customers’ data has always been our highest priority, and this certification is one more way we can attest to that.
SOC stands for Service and Organization Controls, a family of certifications related to others you might have heard of like ISO or FedRAMP. While there are SOC1, SOC2 and SOC3 the one relevant to 1Password is SOC2. Being SOC2 certified means that we've demonstrated that we follow best practices for Security and Availability.
Security in this case is not about our encryption, which we all know is the best out there. 😉 In the world of SOC2, Security ensures that we have—and follow—processes and policies that keep 1Password secure from all angles- everything from the way we train our employees to how the software is developed. Availability means -you guessed it- that 1Password will be working whenever you need it to.
Demonstrating our commitment to security and availability sounded like an easy task but as we went throughout the process we discovered there was much more to it. We created a 1Password Team account to help with the process, using it to communicate securely with the auditors and store all our documentation. The whole process took about a year and a half, and we couldn't have done it without 1Password.
There are two types of SOC2: Type 1 certifies that you have policies in place, while Type 2 verifies that you follow them. And because we always aim high, we set out to do both.
To start, we ensured that we had policies and procedures in place. For example, we've always had security training for 1Password employees but now we have a new policy for annual training for everyone in the company. This stage took several months, but by the end, we had quite a few documents that needed to be shared among the SOC2 team. To do this easily and securely, we used the Shared vault in our Team account.
To meet the requirements of Type 2 we had to demonstrate that we could enforce our policies during a period of six months. Thanks to our awesome employees that was never much of a challenge. Everyone received security training in January as promised. To demonstrate our compliance we produced dozens of documents- everything from spreadsheets, screenshots, PDFs, quick notes… We not only had to share these with auditors, we also had to track the changes that had been made since Type 1.
Thankfully 1Password made it easy. With a few clicks, we created an additional vault for all the new documents and shared it. As the auditors provided feedback, we were able to update those documents and keep track of previous changes using item history. Each item keeps track of who did changes and when so there was a built in audit trail.
To stay organized, we used tags that allowed us to categorize, then find, items of each kind. The tag “Updated” immediately showed us documents that had to be adjusted. With a click on the “From Auditors” tag, we could see all those items uploaded by the auditors, while “From AgileBits” gave us all those that we uploaded.
Every item in 1Password has a field for notes. These notes helped us communicate details that didn't belong in the document or title. We recorded things like: what we last updated, related items, exceptions made in the documents, and more.
Security in general, and SOC2 in particular, aren't things that you do once and then forget about. We have not finished keeping 1Password secure and available because this year's SOC2 audit is complete. The next time around, we'll know exactly what we're doing and 1Password will be there to help us one more time.