We are happy to announce that Prefect has attained SOC 2 Type II compliance!
You may think I’m setting up for a story about the technical and business details we overcame to ascertain this milestone, or something similarly drab. But actually, I want to write about how reaching this goal is a testament to our employee-first company culture and the thoughtfulness in our efforts to build and support said culture. When it comes to the SOC 2 details, our journey was no different to companies that did it prior or those that will follow but our company culture did pave the way for a relatively seamless transition into this new world of compliance.
Prefect from the outset has invested time, money and people in Operations and Culture. I consider myself a relatively early employee, yet still the person hired prior to me took a role dedicated to operations and culture. This is something both employees and our community alike have benefited from. Our culture is firmly rooted in positivity and value creation for all users.
This culture of positivity manifests itself in our hiring & onboarding, internal & external communications, product development, engineering practices and process to name but a few. For example, each and every person that joins our company is pleasantly surprised by the onboarding experience as they are introduced to the company. This is not by accident. Prefect dedicates significant time and effort, including dedicating an entire role to culture, into thinking through each and every experience related to the company. This shines through in our product innovation and development. Our goal was to do something similar with our SOC 2 certification.
Overall, the effort of becoming SOC 2 certified, which we were guided through by our partners at Laika, consisted of half a year of writing out our policies, performing a gap analysis on said policies and remediating those gaps. This was followed by another half a year of working within a control period where we were audited by a third-party on how closely we observed those policies. Again, a testament to the thoughtfulness introduced early on to our operations, development life cycle, and processes, the gap analysis we delivered was relatively small and minor. This is not to say we didn’t need to remediate for certain controls, but what we mostly found was that we were not being as transparent in our documentation as we should have been or thought we were being. And those instances where we did introduce a new policy or process, the company as a whole adopted the new way with zest. For example, shortly after we announced our policy for raising security incidents, the entire company rallied the incident response team to investigate a series of spam texts that multiple people had received. While these turned out to be innocuous, it was amazing to see how enthusiastic everyone was to help.
The SOC 2 process gave us plenty of reasons to enjoy getting together as a company, running round tables with incidents and DR scenarios, running phishing campaigns and observing and commenting on the results. Culturally, we were ready for the changes we needed to introduce and our working relationships allowed us to adapt and adopt these changes with ease and as a company as a whole.
We are always looking for great people that appreciate the fine balance between security and innovation, and those looking to join a company where we invest time in people, operations and culture to achieve the great results that we have demonstrated so far. Plus, you know that you’re joining after SOC 2 Type II is achieved!
We're happy to share more! To see evidence of our SOC 2 Type II certification, reach out to firstname.lastname@example.org.