What is SOC 2 compliance?

At Coassemble, security isn’t just a checkbox—it’s a core part of how we operate. Our customers trust us to power the training experiences that help their businesses grow, and that trust comes with the responsibility of protecting their data.

That’s why we’re proud to share that Coassemble is officially SOC 2 compliant—a major step forward in our commitment to transparency, reliability, and security.

SOC 2 (System and Organization Controls 2) is a widely recognized auditing standard developed by the American Institute of CPAs (AICPA). It assesses how effectively a company safeguards customer data based on five trust principles, also known as trust service criteria:

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

Business accounts are categorized as confidential data and must be protected through measures like encryption and restricted access to ensure compliance with trust principles.

Achieving SOC 2 compliance means we’ve implemented—and maintain—strict internal controls and processes to meet these principles. It also means we’ve passed an independent third-party audit to validate it.

Introduction to SOC 2

SOC 2 is a security framework developed by the American Institute of Certified Public Accountants (AICPA) that provides guidelines for service organizations to protect customer data from unauthorized access, security incidents, and other vulnerabilities. The framework is based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. These criteria are designed to ensure that service organizations implement robust security controls to protect customer data and maintain the integrity of their systems.

For SaaS companies and other service providers, SOC 2 compliance is crucial. It provides assurance to customers that their data is secure and that the service organization is committed to maintaining high standards of data protection. A third-party audit is essential to ensure that companies have implemented the necessary controls and policies to be deemed company compliant with SOC 2 requirements. By adhering to the SOC 2 framework, service organizations can establish trust with their customers and demonstrate their commitment to data security. Obtaining a SOC 2 report helps customers reduce their due diligence efforts and increases sales by assuring potential clients of the vendor's commitment to data protection.

Importance of Compliance

Compliance with SOC 2 is crucial for service organizations that handle sensitive customer data. The SOC 2 framework provides a set of trust services criteria that help organizations demonstrate their ability to protect customer data and maintain the security, availability, processing integrity, confidentiality, and privacy of their systems. By achieving SOC 2 compliance, service organizations can establish trust with their customers and business partners, reducing the risk of data breaches and other security incidents. The importance of compliance lies in its ability to provide assurance that an organization’s controls are designed and operating effectively, thereby protecting valuable data and preventing financial losses.

Our Journey to SOC 2 Compliance and Trust Services Criteria

Starting the process

Security has always been a focus for us, but we knew SOC 2 would take it to the next level. We kicked off the project with a dedicated cross-functional team that included leadership from engineering, product, and operations. We wanted to embed security thinking across the business—not just check boxes.

As part of our SOC 2 compliance framework, we emphasized the importance of disaster recovery plans to ensure system availability and resilience, allowing us to maintain service levels and protect our data and systems against potential disruptions.

Achieving SOC 2 compliance is crucial for maintaining trust with both customers and business partners.

Choosing the right partner

To guide us through the compliance process, we partnered with Vanta, a leading security and compliance automation platform. Vanta helped us accelerate the timeline by automating evidence collection, identifying control gaps, and continuously monitoring our systems. Their platform made it easier to stay organized and track progress from day one.

Readiness Assessment and Preparation

A readiness assessment is an essential step in preparing for a SOC 2 audit. This assessment helps service organizations identify gaps in their security controls and ensures that they are compliant with the Trust Services Criteria. The preparation process involves several key steps:

1. Implementing Security Controls: Service organizations must design and implement security controls that meet the requirements of the Trust Services Criteria. This includes access control, network security, data encryption, and other measures to protect customer data.

2. Collecting Evidence: Evidence collection is a critical part of the preparation process. Service organizations must gather documents, records, and other materials that demonstrate the operating effectiveness of their internal controls and security controls. The review evidence process involves running tests, reviewing evidence, and interviewing team members to generate a final report that assesses the organization's compliance with the Trust Services Criteria.

3. Reviewing Internal Controls: Internal controls must be reviewed to ensure that they are operating effectively and meet the requirements of the Trust Services Criteria. This involves regular testing and monitoring of the controls to identify any weaknesses or gaps.

A certified public accountant (CPA) firm can assist service organizations in preparing for the audit and ensuring that they meet the necessary requirements. The CPA firm can provide guidance on implementing security controls, collecting evidence, and reviewing internal controls to ensure compliance with the Trust Services Criteria.

Audit Timeline and Experience with Security Controls

From preparation to final audit, the process took several months. We worked closely with our audit partner to ensure every control was documented and tested. While rigorous, the process went smoothly thanks to the groundwork laid by our team and the support from Vanta. The final report, which includes critical opinions from auditors following examinations, is valid for a specific duration and can be used for marketing and compliance purposes.

Obtaining a SOC 2 Type II report is crucial for providing comprehensive assurance to clients, as it demonstrates effective controls over the year.

Key takeaways

• Start early. SOC 2 isn’t something you can sprint through at the last minute.

• Choose the right tools. Automating the process helped us scale security without slowing down product development.

• Security is everyone’s job. Compliance was a team effort—collaboration was key to getting across the finish line.

• Ensure design and operating effectiveness. Assessing the design and operating effectiveness of internal controls is crucial for successful SOC 2 compliance. This involves running tests and reviewing evidence to ensure that the organization's controls are functioning as intended to meet the compliance criteria.

Security Framework and Controls

The SOC 2 security framework is designed to provide a comprehensive approach to information security. The framework includes five categories: security, availability, processing integrity, confidentiality, and privacy. Each category includes specific criteria that service organizations must meet to ensure the security and integrity of customer data.

The security category, also known as the Common Criteria, is mandatory for all SOC 2 reports. It includes requirements for access control, network security, and data encryption. These security criteria play a crucial role in evaluating an organization's security posture, ensuring that necessary security controls are implemented to protect customer data. Service organizations must design and implement internal controls to meet these requirements and ensure the operating effectiveness of their security controls.

The other categories—availability, processing integrity, confidentiality, and privacy—each have their own specific criteria. For example, the availability category focuses on ensuring that systems are available for operation and use as committed or agreed. The processing integrity category ensures that system processing is complete, valid, accurate, timely, and authorized. The confidentiality category focuses on protecting confidential information, and the privacy category addresses the collection, use, retention, disclosure, and disposal of personal information.

By meeting the criteria in each of these categories, service organizations can ensure that their security controls are robust and effective, providing assurance to their customers that their data is protected. An organization's security posture is evaluated through audits, providing a framework for improving and maintaining security standards year-over-year.

Evidence Collection and Review

Evidence collection and review are critical components of the SOC 2 audit process. Service organizations must collect evidence to demonstrate the operating effectiveness of their internal controls and security controls. A SOC 2 audit evaluates an organization's controls designed to protect and secure the systems and services used by their customers or partners. This evidence may include documents, records, and other materials that demonstrate compliance with the Trust Services Criteria.

The external auditor will review this evidence to ensure that it is sufficient and appropriate to support the service organization’s claims of compliance. The auditor will also test the controls to ensure that they are operating effectively. This involves examining the evidence, performing tests of controls, and reviewing the results to determine if the service organization has met the necessary requirements.

The evidence collection process can be time-consuming and complex, but it is essential for demonstrating compliance with the Trust Services Criteria. Service organizations must ensure that they have robust processes in place for collecting and reviewing evidence, and that they are prepared to provide this evidence to the external auditor during the audit.

Common Criteria and Standards

The Common Criteria, also known as the security category, is a critical component of the SOC 2 framework. This category includes requirements for access control, network security, and data encryption, among other things. Service organizations must meet these requirements to ensure the security and integrity of customer data.

The SOC 2 framework is based on industry-recognized standards and guidelines, including the AICPA’s Trust Services Criteria and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. By following these standards and guidelines, service organizations can ensure that their security controls are robust and effective.

Meeting the requirements of the Common Criteria involves implementing a range of security controls, including access control measures to restrict unauthorized access to systems and data, network security measures to protect against cyber threats, and data encryption to protect sensitive information. Service organizations must also regularly test and monitor these controls to ensure their operating effectiveness. The security principle plays a crucial role in protecting data and systems from unauthorized access, and organizations need to implement various security controls, such as access control, firewall enhancements, and multi-factor authentication, to adhere to this principle effectively.

By adhering to the Common Criteria and other industry standards, service organizations can provide assurance to their customers that their data is secure and that they are committed to maintaining high standards of data protection.

Benefits of Compliance

The benefits of SOC 2 compliance are numerous. For service organizations, achieving compliance can lead to increased customer trust and confidence, improved reputation, and a competitive advantage in the marketplace. Compliance can also help organizations reduce the risk of data breaches and other security incidents, which can result in significant financial losses and damage to their reputation. Additionally, SOC 2 compliance can help service organizations improve their internal controls, security policies, and risk management practices, leading to a more robust and secure information security program. By demonstrating compliance with SOC 2, service organizations can also meet the requirements of their customers and business partners, making it easier to establish and maintain relationships with them.

Implementation and Maintenance

Implementing and maintaining SOC 2 compliance requires a significant effort from service organizations. The process typically begins with a readiness assessment, which helps organizations identify gaps in their controls and determine the scope of their SOC 2 audit. Once the scope is defined, organizations must design and implement controls that meet the trust services criteria, including security, availability, processing integrity, confidentiality, and privacy. The next step is to engage a certified public accountant (CPA) firm to conduct a SOC 2 audit, which involves reviewing evidence, testing controls, and evaluating the design and operating effectiveness of the organization’s controls. After the audit is complete, the CPA firm will issue a SOC 2 report, which provides an opinion on the organization’s compliance with the trust services criteria. To maintain compliance, service organizations must continually monitor and update their controls, perform regular risk assessments, and undergo annual SOC 2 audits to ensure that their controls remain effective and aligned with the trust services criteria. By following these steps, service organizations can ensure that they remain compliant with SOC 2 and continue to protect sensitive customer data.

The Rise of Artificial Intelligence in Learning and Development

Why SOC 2 Compliance Matters to You

When you’re building and delivering courses on Coassemble, you’re often handling sensitive content—especially if you’re in regulated industries like finance, healthcare, HR tech, or education. SOC 2 compliance gives you the confidence that we’re meeting (and exceeding) industry standards to protect your data and maintain customer trust. When selecting a service provider, SOC 2 compliance should be a top consideration to ensure the protection of sensitive information.

In practice, this means:

• Your data is protected by robust security controls, encryption, and 24/7 monitoring.

• Our infrastructure is built for reliability and can quickly recover from incidents.

• We’ve been independently verified—so your stakeholders and security teams can rest easy.

What’s Next?

Our SOC 2 certification isn’t a one-and-done milestone—it’s part of a long-term commitment to strengthening our security and compliance practices.

We’re continuing with:

• Continuous monitoring of our systems and controls

• Quarterly security reviews to assess and improve our posture

• Ongoing training for our team to stay ahead of emerging threats

Security is a journey, not a destination. SOC 2 compliance is just one more way we’re investing in building a platform that’s secure, scalable, and trusted by organizations around the world. Integrating SOC 2 compliance into our overall risk management strategy is essential to enhance our information security efforts and build customer trust.

Thanks for continuing to trust Coassemble as your knowledge transfer partner. We’re excited about what’s next—and we’re doing the work to make sure your data is always in good hands.