NimbleBox.ai is now SOC 2 Type II certified

Over the last year, we have focused on ensuring our data security practices are as per industry standards. The SOC 2 Report provides independent third-party verification of our rigorous process and assessment of controls designed to protect sensitive client information. It also allows our partners to feel confident that they can rely on NimbleBox.ai as a trusted partner in terms of security.

NimbleBox.ai has received SOC 2 Type II certification from Prescient Assurance Inc., an independent third-party auditor who provides cybersecurity assessment services to vendors like us who want to ensure their products meet industry standards for data protection. They reviewed NimbleBox.ai's security controls, infrastructure, information security practices, procedures, and operations based on the standards set by AICPA. In addition, Sprinto assisted the team at NimbleBox.ai with monitoring business operations and the technology stack, among other essential checks.

Today, we're glad to announce that NimbleBox.ai is SOC 2 Type II compliant for the trust services criteria of security, availability, and confidentiality.

This blog discusses SOC2, our compliance journey, and what this means for NimbleBox.ai customers.

What is SOC 2 compliance?

SOC 2, which stands for Service Organization Control 2, is a voluntary compliance standard for organizations developed by the American Institute of CPAs (AICPA).

It specifies guidelines for organizations to use, maintain and manage customer data and recommends best practices in information security. SOC 2 compliance requires not just adherence to a set of security controls but also meticulous documentation of those controls and continuous monitoring and testing to ensure the controls function as designed.

The AICPA lists 5 Trust Services Criteria, which are relevant categories for organizations that store or transmit customer data. Those categories are:

• Security: Can we trust this organization to protect its information assets?
• Confidentiality: Does this organization keep its information private?
• Availability: Is this system operational when needed?
• Processing Integrity: Does this system process information correctly?
• Privacy: Does this organization manage its data privacy following client expectations?

Importance of SOC 2 compliance

• The SOC 2 Type 1 Audit provides a snapshot of an organization's infrastructure and controls, including security practices at a single point in time.
• The SOC 2 Type II Audit assesses these organizational controls over a more extended period, usually six months to one year. For this reason, obtaining Type II is a longer and more robust compliance process.

By adhering to SOC 2's rigorous standards and successfully achieving this milestone, NimbleBox.ai finally celebrates months of hard work by our team.

Our Compliance Journey: Implementing a Culture of Security

We have embedded a culture of security into our business. What do we mean by this?

It means we -

• Implemented a rigorous information Security Policy
• Conducted internal audit assessments
• Run background checks & hiring evaluations when onboarding new members
• Conduct compulsory security training for team members
• Test ourselves continually on current and emerging techniques and attacks
• Ensure secure software development practices following OWASP Top 10
• Encrypt data at rest and in motion on both public and internal networks
• Have a User Access Management system with access controls based on the policy of least privilege and on a need-to-know basis which we monitor and review quarterly
• Performed disaster management assessment where we created a response team and performed a response action, and documented the process
• Use monitoring & alerting tools

This isn’t an exhaustive nor finite list, but our latest SOC 2 Type 2 compliance makes our commitment to the security of our users' data official.

What does this mean for our customers?

If you are an existing NimbleBox.ai customer, email or let us know in your dedicated shared Slack channel to obtain a copy of the report. If you are currently piloting or evaluating NimbleBox.ai, your point of contact can provide you with the SOC 2 audit report under NDA.

Compliance at NimbleBox.ai: what's next

We are proud to be SOC 2 compliant, and we believe this is another step in our journey to ensure our customers can trust us with their data. It's also an important recognition for NimbleBox.ai as it demonstrates the quality and maturity of our approach to handling sensitive data.

Following our SOC 2 Type II report, we must get audited annually to ensure we stay compliant. The next step for NimbleBox.ai's investment in security is getting ISO27001 certified.