The phrase “SOC 2 Type II compliance” may sound complex and technical. But it’s actually an important credential that lets you know if a vendor is truly committed to information security.
In this Q&A, we talk with Omar Rey, Playvox’s privacy and security officer, about the ins and outs of SOC 2 Type II compliance, why it’s important, and why it should matter to contact centers.
Q: Omar, let’s start with the basics. What is a SOC 2 Type II report?
A: In simple terms, this report shares the findings of an audit of a company’s practices related to data security, confidentiality, and availability. The audit is completed by an independent firm using the Trust Services Criteria, which was established by the Association of International Certified Professional Accountants, or the AICPA.
Q: So is SOC 2 just an IT audit?
A: Actually, the audit looks at the data practices of an entire business. For example, a company’s HR department may have hiring and on-boarding processes in place to make sure background checks are performed, non-disclosure agreements are signed, and that employees receive training.
The Type II report shares the findings of the company’s HR security controls — as well as the practices of other departments — to make sure all parts of the business and its operations meet the Trust Services Criteria.
Q: Is Playvox SOC 2 compliant?
A: Yes. In spring 2021, an independent firm verified that the stringent security controls we have in place for our software operate effectively and meet the Type II compliance standards.
In 2019, an auditing firm confirmed that the design of our software security measures met the criteria for SOC 2 Type I compliance.
Q: Can you explain the difference between SOC 2 Type I and Type II compliance?
A: The difference between the two comes down to design and operations. Type I compliance looks at the overall design of a company’s security protocol. It essentially asks: Can the control do the job it was designed to do? Type II compliance then examines how effectively the security protocol actually performs.
The Playvox team takes pride in being both Type I and Type II compliant. This gives our customers confidence that the design and operation of our software security measures have been validated by trusted third-party sources.
Q: Why is it important to a contact center that we’re Type II compliant?
A: This credential tells our contact center customers that data security and accessibility, as well as confidentiality, are Playvox priorities. It clearly states that information security is something we take seriously, focus on each day, and approach the right way.
Achieving this level of compliance takes significant time and resources. We have to document and assess every security and operational control, and then make the necessary adjustments. The audit can take months to complete, and it must be repeated periodically in order to maintain the credential.
Playvox is committed to maintaining our SOC 2 compliance. After all, we want our customers to know that they’re in good hands when it comes to accessing and safeguarding their contact center information.
Q: Are there other ways this credential benefits our customers?
A: Along with providing a sense of assurance, being Type II compliant can save our customers time and kick off our work together — faster.
When we partner with a new contact center, we’re often asked to answer hundreds of questions about data storage, our compliance and continuity practices, as well as the security of the vendors we work with to provide our contact center solutions.
Having met the Trust Services Criteria, though, our customers know that a third party has already done the work of confirming that we’re compliant, secure, and that our protocols operate effectively. With this step out of the way, we can focus on the customer’s key concerns and get right to work.
Q: Omar, is there anything else you’d share about SOC 2 compliance?
A: Remember, a vendor that’s Type II compliant is showing that they’re committed to a higher standard of information security practices. They’ve volunteered to have the inner workings of their solutions examined and compared to the criteria set by the AICPA.
If I were a contact center leader, this credential would give me peace of mind that the vendor has the right software security controls in place and — perhaps more importantly — that these measures would be effective in safeguarding my company’s information.
Learn more about our SOC 2 compliance and Playvox’s commitment to data security and privacy.