SOC 2 (Service Organization Control 2) is a part of the AICPA’s (American Institute of CPAs) Service Organization Control reporting platform. SOC 2 is an auditing and attestation process that measures against the five trust principals outlined by the AICPA. When a business achieves SOC 2 compliance, it demonstrates that the company has implemented controls to ensure security, availability, processing integrity, confidentiality, and privacy of customer data.
The purpose of the privacy principle is to address the collection, use, retention, disclosure, and deletion of personal data, in line with Cronofy’s privacy notice, as well as with guidelines set out in the AICPA’s generally accepted privacy principles (GAPP).
Personally identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, email address). Some personal data related to health, race, sexuality, and religion are also considered sensitive and generally require additional security. Controls must be put in place to protect all PII from unauthorized access to satisfy the Privacy principle.
Confidential data should be protected according to who owns the data and the purpose of that data. Data is considered confidential if it’s access and disclosure are restricted to a specific set of individuals or organizations.
The confidentiality principle sets out to ensure that encryption is in place, for protecting confidentiality when data is in transit and at rest. Network and application firewalls, together with rigorous access controls, are used to safeguard information being processed or stored on systems.
Availability in SOC2 means ensuring that the services which support, and deliver Cronofy products, are available, and can provide the service as advertised. This means ensuring that the business has the correct SLAs in place, underpinned by appropriate monitoring, alerting systems, and business processes (such as business continuity and
The security principal equates to ensuring that systems are secured appropriately, so that, unauthorized access is not possible. This takes the form of physical security such as firewalls and intrusion detection and in Cronofy processes, such as ensuring that appropriate access control procedures are in place and consistently followed.
The purpose of the processing integrity principle is to ensure that a system achieves the goal it’s set out to fulfill. We are essentially ensuring that our service delivers the right data, to the right place, in a timely fashion while securing data. Processing integrity also includes the monitoring of all data processing, including quality control, for example, concerning system changes.
When you use Cronofy, you’re sharing potentially sensitive information with us. It’s our responsibility to make sure that we protect that data, and we take that responsibility very seriously. That’s why information security will always be a first-class concern for us.
Whenever we’re building or developing any aspect of our service, Security is a key consideration. We understand that our customers care deeply about the security of data, and it’s something we feel equally strongly about.
We want our customers to know that they can trust us to process and handle their calendar and event data – always securely and to the highest standards.
The ISO27001 standard, as well as the other standards achieved by Cronofy, serves to demonstrate the fact that we have a world-class Information Security management system in place and ensure confidence in the way we handle all your data.
Achieving certifications is important - however we don't stop there. Cronofy is constantly evaluating developments and updates to standards, and continually updating policies and processes, to ensure we are as secure, and compliant as possible.
Cronofy undertakes regular audits to ensure the requirements set out in SOC 2 are met, and most importantly, Cronofy remains SOC 2 compliant. Audits take place annually and cover the period of April to March. Reports are issued in May.
We make sure you keep control of your calendar and that it's private to you and those you'd like to share your availability with. Security is at the core of what we do and we have the best practices to ensure that privacy is never compromised.