At Zenhub, our mission has always been to help teams build better software, faster. Over the years, we’ve focused on building a platform that not only makes developers’ lives easier by allowing them to work more efficiently in GitHub but also seamlessly connects code to business operations and strategy. We’ve done this by delivering valuable features and capabilities like automated workflows, automated agile experiences, built-in planning poker, new reporting insights, and more – all aimed at creating the industry’s best developer experience and dramatically boosting team efficiency in GitHub.
With over 8000 teams worldwide using Zenhub, the importance of being committed to ensuring our platform is safe and secure can not be understated. We closely safeguard privacy and have implemented proper governance, procedures, and controls to secure the data of customers and users from malicious actors.
With such a close integration comes high responsibility for user data security and privacy. Our team has taken this responsibility very seriously right from the get-go. Appreciating the level of trust our users put in us, we’ve made continuous monitoring of our systems and compliance with industry standards a top priority.
Earlier this year, we announced Service Organization Control 2 (SOC 2) Type I compliance, and this month we’re pleased to announce that Zenhub has received its SOC 2 Type II certification. In this blog, we’ll walk you through what SOC 2 certification is, what it means for our customers and users, and take you through our journey of getting there and maintaining compliance.
What is a SOC 2 Certification?
A SOC 2 certification audits how a cloud-based service provider handles sensitive information. Considered the gold standard for security compliance, SOC 2 audits are conducted by an independent third party who is a Certified Public Accountant (CPA) or CPA firm, and use the criteria outlined by the AICPA.
SOC 2 Type I assesses the design of controls and security processes at a point in time.
SOC 2 Type II validates the efficacy of these controls by monitoring them in operation for three to six months and note any exceptions.
Achieving SOC 2 Type I accreditation, which Zenhub achieved in April 2022, means that our infrastructure, development practices, and management processes meet (or exceed) required levels of oversight and monitoring and that we can detect and address issues quickly and reliably.
In July 2022, Zenhub achieved SOC 2 Type II, with zero exceptions, which further validated our controls and security framework, attesting to our operational effectiveness in responding to system vulnerabilities.
Why SOC 2 certification is so important
Our users' trust in us makes Zenhub a preferred platform among software teams. SOC 2 certification ensures our team is continuously taking steps to exceed expectations in maintaining the security of our user's data.
Asser Ghorab, Director of DevOps at Zenhub, reflects: "Going through an official audit process and third party testers helped us ensure that we're addressing gaps and applying best practices in design, implementation, and internal processes and controls."
In addition to maintaining trust with our users, we are also keeping things simpler. Many companies require a third-party audit of their SaaS tools before implementing them in their organization, especially when those tools handle or have access to sensitive data. With a SOC 2 Type II certification, users know our software has been analyzed by a trusted third party, allowing them to implement Zenhub with fewer hurdles and doubts.
Our journey to SOC 2 compliance
Our journey towards SOC 2 compliance started years ago with our use of automated security monitoring systems and coding best practices. Having built the foundation of Zenhub’s infrastructure in a way that followed best practices, we felt confident going into the SOC 2 audit. The auditing process was rigorous and involved:
Continuous compliance monitoring: We use a service called Vanta that continuously monitors our systems to verify we are meeting the requirements of SOC 2 compliance.
Penetration testing: Also known as “ethical hacking,” a penetration test is conducted by a developer who attempts to hack into our systems to identify vulnerabilities.
Continuous vulnerability scanning: We ensure our ability to fix vulnerabilities as fast as possible by running an automated vulnerability scan every time we change the development environment.
Tracking audit actions in Zenhub: With all of the moving parts in an audit, it was helpful to keep goals organized using Epics and keep our team in the loop on our progress using a real-time roadmap in Zenhub.
Security is something we’ve built into Zenhub right from the beginning. Still, with the addition of SOC 2 Type II compliance, we’re giving our clients (and ourselves) the peace of mind that Zenhub is following and maintaining industry best practices regarding security.
Now that we’ve got our SOC 2 Type II certification, the next steps are continuous monitoring and testing of our cloud environments and internal system – after all, you can’t sleep on security!
Want to learn more? Check out the official press release.
If you have any questions about Zenhub’s SOC 2 certification or data security at Zenhub in general, please don’t hesitate to contact our Customer Success team at firstname.lastname@example.org.