At Mersive Technologies, keeping customer and stakeholder data secure is our top priority. To ensure that our systems and controls have been designed appropriately to achieve that goal, we sought out third-party attestation from a qualified auditing firm. Our SOC 2 and SOC 3 reports are the result of their examination.

In this blog post, we’ll explain what these reports are, what they cover, and why we chose to undergo this rigorous compliance audit.

What is a SOC 2 report?

Obtaining a System and Organization Controls (SOC) 2 report is one way for a service organization to attest to the security of its digital environment. 

Completing a SOC 2 examination through an accredited third-party auditor does not result in any certification. Instead, the resulting CPA’s report functions as a tool to help an organization communicate whether the internal controls they’ve put in place governing the security of customers’, partners’, and stakeholders’ data are properly designed, implemented, and maintained.

In simpler terms, a SOC 2 report provides an avenue for current and potential stakeholders to assess risk by giving them a closer look at the policies and procedures put in place to ensure the organization’s services are provided safely and reliably.

“This SOC 2 report affirms that Mersive has successfully managed the controls in place over the selected trust services criteria developed by the American Institute of CPAs (AICPA) for effective data management,” said Julie Mungai, senior manager of attest services at BARR Advisory. “Congratulations to the Mersive team on once again cementing its commitment to cybersecurity best practices.”

What is a SOC 3 report?

A SOC 3 report is similar in scope to a SOC 2 report, but the information is packaged more concisely. This makes SOC 3 reports easier to read and a better fit for widespread distribution. 

Both reports result from the same audit, and both can help communicate that an organization’s controls are properly designed, implemented, and operating effectively.

What do these reports cover? 

SOC reports result from an examination performed by an accredited CPA firm under the standards defined by SSAE 18. An auditor tests the effectiveness of the internal controls outlined by the organization, then maps those controls to one or a combination of Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA).

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.

The scope of a SOC report can also vary with regard to the time period covered. SOC 2 Type II reports examine controls over a period of time, usually between three and 12 months, and include both a list of the controls tested as well as the auditor’s test results. 

The reporting period for Mersive Technologies’s most recent SOC 2 and SOC 3 reports spanned from March 1, 2024, to May 31, 2024.

Why did we undergo this exam?

Receiving our SOC 2 and SOC 3 reports marks a huge step forward in Mersive Technologies’s efforts to demonstrate our commitment to data security and ensure that we’re prepared to face the challenges of the ever-changing cybersecurity landscape. 

“We are pleased that our SOC 2 and SOC 3 reports have shown we have the appropriate controls in place to mitigate risks related to security, confidentiality, and availability, along with HIPAA Security Rule requirements,” said Alan Young, Mersive’s Chief Product Officer and CISO. “We hope that achieving these milestones inspires continued confidence and assures our customers and partners that we view data security as a top priority.”

For more information

Our auditing partner, BARR Advisory, has provided a comprehensive overview of the different types of SOC examinations and their unique requirements for cloud service organizations.

Current and prospective customers interested in a copy of Mersive’s SOC 2 or SOC 3 reports, please contact sales@mersive.com.