SOC Certification

Updated December 30, 2022

Table of Contents

SOC 2 Type 1

Shape Software Inc. successfully completed the AICPA Service Organization Control (SOC) 2 Type I audit. The audit confirms that Shape Software Inc.’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.

Shape Software Inc. was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc. For more information about Prescient Assurance, you may reach out them at info@prescientassurance.com

An unqualified opinion on a SOC 2 Type I audit report demonstrates to the Shape Software Inc.’s current and future customers that they manage their data with the highest standard of security and compliance. 

Customers and prospects can request access to the audit report here – NDA required.

AICPA SOC Shape Software CRM

Security as a Company Value

Shape Software Inc.’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Secure Personnel

Shape Software Inc.’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Secure Development

Secure Testing

Shape Software Inc. deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

Cloud Security

Shape Software Inc. Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

Shape Software Inc. Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

Compliance

Shape Software Inc. is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Shape Software Inc.’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Shape Software Inc. has in place.

SOC 1 Type II

Shape Software Inc. is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Shape Software Inc.’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Shape Software Inc. has in place.

Controls over security, availability, and confidentiality.

That also includes developing a comprehensive set of security measures and practices to keep our customers’ data protected and safe. In accordance with our efforts to deliver the highest quality services to our clients, we have completed the Service Organization Control (SOC) Type II audit, a semi-annual certification.

The SOC 1 Type II certification verifies that Shape Software has the proper internal controls and processes in place around security and availability.  This helps to mitigate risks and ensure that our clients’ data are highly secure.

The SOC 1 is most appropriate for companies that are required to meet regulatory financial reporting requirements such as Sarbanes-Oxley (SOX), especially those that provide financial services, so that they may demonstrate their compliance with internal financial reporting controls.  In addition, federal regulations such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and the Health Insurance Profitability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

Because Shape Software serves financial services companies and others subject to these regulations, the SOC 1 is highly applicable to the services that we provide.  Use of the Type II report is restricted by the AICPA but current Shape customers can request a copy of the report using an appropriate non-disclosure agreement.

Why the SOC 1 Audit

The old SAS 70 audit was designed to help CPAs reporting on controls at a service organization — controls that impacted user entities’ financial statements.  It was insufficient for reporting on a cloud hosting provider’s controls and how they impacted the privacy of customer data.  Nevertheless, SAS 70 was the de facto standard up until 2011, and it was always subject to a measure of confusion.  Consequently, the American Institute of Certified Public Accountants (AICPA) updated the SAS 70 with the development of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework; together, these served as a new benchmark for service organizations and replaced the SAS 70.

SOC reports are administered  in compliance with the SSAE 16 auditing standards, which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements.  The standard demonstrates that an organization has adequate controls and processes in place.  To address the various needs of service organizations previously using the SAS 70, the AICPA developed three different reports: SOC 1, SOC 2 and SOC 3.  All are conducted via a third party independent auditor.

Shape Software currently holds a SOC 1 Type II report.  According to the AICPA, “SOC 1 reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting: SOC 1 reports are examination engagements performed by a service auditor (CPA) in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization to report on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements. Use of a SOC 1 report is restricted to existing user entities (not potential customers) and their auditors.