Foundational is now SOC 2 Type II Certified

Data and code are the two most sensitive assets an organization has. Today we are proud to announce that Foundational is SOC 2 Type II certified, having obtained the industry-leading standard for the security, availability, and confidentiality.

What is SOC 2 and why is it important?

SOC 2 compliance is a set of measures that specifies how organizations should protect customer data from unauthorized access through controls, policies, procedures, and various technical measures. It was developed by the American Institute of Certified Public Accountants (AICPA) and is being validated by certified third-party auditors, who check and confirm that an organization is meeting all requirements. The “Type II” suffix indicates that the audit is also being performed over a period of time to also establish how the organization is handling changes, issues, and even incidents – to ultimately provide a strong and reliable indication for the organization’s security measures.

Since its inception in 2010, SOC 2 has been widely recognised as a leading compliance standard and is extremely common today among security teams. Startups typically get to SOC 2 in the second year, sometimes even third, as usually larger organizations require it for any software vendor to be approved.

But SOC 2 also checks for organizational behaviors that really any security-aware organization must have as early as possible. For example, it asks that every pull request is to be reviewed before getting merged. It requires every workstation to have an anti-virus. It ensures you have a firewall properly configured for your cloud servers. And it needs the organization to train every employee and contractor to be aware of security threats. These are all critical measures that really every organization should have, and it was clear to us that we’ll want to establish these from day 1. We thought we shouldn’t wait - Foundational was built from its early days with security in mind, with many of its early employees and all three of its founders coming from extensive cybersecurity backgrounds.

Principle of Least Privilege with a twist: Zero data access

One of the key principles of designing for security is called the Principle of Least Privilege, which somewhat intuitively suggests that any entity that performs an operation in the organization only gets the minimal permissions for that operation. For example, there really shouldn’t be more than a few administrators for any type of server, or service. This principle helps organizations as well as product builders, properly design permission management to reduce risks and hopefully minimize damage in case of an incident. We ongoingly put this principle to work in every aspect of Foundational, whether it’s our IT or our approach to developing new connectors.

Yet, the strongest security principle we are most proud of relates to how Foundational handles customer data. Put simply, we never access it. This is one of the inherent benefits of deriving code analysis and lineage from code - Outside of always being up-to-date, we never need to see the data or compromise any sort of access, simply since we can’t access it.

An ongoing commitment to security

We are incredibly proud of this achievement. As we continue to enhance and develop our platform, we remain committed to always put security as the highest priority. 

If you have any questions or concerns about data security at Foundational, please don't hesitate to reach out to us at security@foundational.io. We are here to answer any questions you may have.

Chat with us 

At Foundational, we are solving extremely complex problems that data teams face on a day-to-day basis. Security by Design is only one aspect of it – Connect with us to learn more.