Lessons Learned Along Kinsta’s Path to SOC 2 Compliance

Proven compliance with the SOC 2 cybersecurity framework is a badge of honor for technology organizations.

Developed by the Association of International Certified Professional Accountants to measure adherence to certain trust services criteria, System and Organization Controls 2 is a gold standard for outfits like Kinsta, whose business is hosting other companies’ data in the cloud.

Kinsta embarked on an effort to demonstrate SOC 2 compliance in the fall of 2022 and received a successful audit under the standard’s core security service criteria in August of 2023. Along the way, the Kinsta team learned a little about preparing for a SOC 2 audit.

We also found that we could make our systems even more secure than they already were.

If your organization is contemplating an attempt at a SOC 2 designation, we’re happy to share what we know with you.

What Is SOC 2, and What Does Compliance Entail?

SOC 2 is a set of information-security standards with which companies can voluntarily choose to comply. That’s done by aligning the way a company operates with SOC 2 standards.

“We had quite a few customer leads simply decline to consider Kinsta once they learned that we could not demonstrate compliance with the SOC 2 standards.”

— Jon Penland, Kinsta Chief Operating Officer

Chief Operating Officer Jon Penland, who spearheaded the SOC 2 effort at Kinsta, says the AICPA’s criteria are general enough to be applicable to most organizations. It’s up to each organization — assisted by an independent CPA firm accredited by AICPA — to design and implement controls specific to their operations.

The SOC 2 framework includes five service criteria: security, availability, processing integrity, confidentiality, and privacy. Says Penland: “Since we were getting a SOC 2 program up and running for the first time, we focused on the core security criteria for our first SOC 2 audit.”

The final result is a SOC 2 audit report. Companies can receive two different types of reports:

  • Type I: This report provides evidence that a company has designed and implemented controls sufficient to comply with the SOC 2 standard. Think of it as a “snapshot” report, which confirms only that a company has designed and implemented appropriate controls but does not confirm that the company has remained compliant with those controls for any period of time.
  • Type II: This report takes things a step further by verifying that a company has complied with the controls during a defined observation period. Where a Type I report is a “snapshot” of compliance at a point in time, a Type II report verifies compliance over a defined period of time.

Penland says Kinsta opted for a Type II report, starting with the company’s performance for the three months beginning April 1, 2023.

The results are available to customers on Kinsta’s Trust Report page.

Screenshot of Kinsta's Trust Report page.
Key elements of Kinsta’s Trust Report page.

Making the Decision to Start the SOC 2 Process

Penland says compliance was on Kinsta’s radar long before the SOC 2 project kicked off in September of 2022.

“We had quite a few customer leads simply decline to consider Kinsta once they learned that we could not demonstrate compliance with the SOC 2 standards,” he says. “For many enterprise customers — and an increasing number of SMBs — SOC 2 compliance is a requirement they place on their vendors.”

“Also, in the absence of SOC 2, we had many leads ask us to complete extensive security questionnaires, which can take a lot of time and resources to complete. The SOC 2 Type II report will dramatically reduce the number of security questionnaires our team has to spend time on.”

What’s more, Penland says, “We believed that a framework like SOC 2 could help us improve our security in tangible and meaningful ways.”

Choosing a GRC Platform and an Auditor for SOC 2 Testing

“We recognized that we needed to identify two key vendors early on,” Penland says. “That’s the GRC (governance, risk, and compliance) software we would be using to automate compliance monitoring to the greatest extent possible and the CPA firm we would use to perform our first SOC 2 audit.”

“We decided to start by identifying the GRC software we felt best met our needs. We ended up researching more than a dozen competing GRC solutions, holding discovery calls with eight vendors, and demoing four or five different platforms. After weeks of work, towards the end of 2022, we settled on Vanta as our GRC platform.”

By January of 2023, Kinsta was in the process of getting internal systems working with Vanta’s automated tools for compliance monitoring.

“At the same time, we started looking at possible auditors,” Penland says. “Vanta has a number of auditor partners, and we decided to focus our search on these partners — the reason being that we wanted to make sure our auditor was familiar with Vanta and would accept evidence collected by them. After holding discussions with a few different auditors, we decided BARR Advisory was the right choice for Kinsta.”