Back to blog posts

Security spotlight: SOC 2 compliance

Pinwheel Team

September 24, 2021

Download case study
Share On:

Pinwheel is on a mission to build a fairer financial system by unlocking API access to payroll systems. As part of delivering upon that mission, we hold ourselves responsible for safeguarding the security and privacy of our customers’ data and every one of their users that touches our platform. SOC 2 compliance is one of the many measures we have incorporated into our infrastructure and operating processes to live up to this commitment. 

What is SOC 2?

A SOC 2 report is issued after an in-depth audit by an independent 3rd party firm. It assesses that an organization has implemented the appropriate controls, security configurations, and internal policies to manage their organization and their data securely. There are two types of SOC 2 reports, Type I and II. A Type I report attests that an organization has implemented controls at a snapshot in time. In contrast, a Type II report affirms that these controls have been implemented and adhered to over a six-month minimum period. Pinwheel was issued a SOC 2 Type II report, underscoring our diligent and consistent approach to data security and privacy.

Preparing for the Audit

We partnered with Vanta, the leading SaaS platform that automates the complex and tedious work to prepare for an audit. Vanta connects to our critical cloud services providers, such as AWS and Datadog, and continuously monitors them for compliance across a set of controls. A special shout out goes to Steven Stone, a Senior Site Reliability Engineer at Pinwheel, who was instrumental in connecting all of our systems and configuring our infrastructure to pass every one of Vanta’s automated monitoring tests. In addition to continuous monitoring and testing, Vanta simplifies the onboarding process for new employees with an intuitive interface to accept company policies and complete mandatory security awareness training.

The Audit

Pinwheel’s SOC 2 Type II examination was conducted by The Cadence Group, one of the most reputable risk management and advisory firms. Facilitated by Vanta, they tested controls across the five categories of trust defined by the American Institute of CPAs (AICPA): Security, Availability, Confidentiality, Processing Integrity, and Privacy. For each of the criteria mapped to Pinwheel’s controls, the audit showed us meeting and exceeding all SOC 2 standards.

Beyond SOC 2

While SOC 2 is an important milestone, we are dedicated to continuously improving our security posture. At Pinwheel, security projects are first-class citizens and directly incorporated into our engineering roadmap. In addition, we recently brought on Jeff Hudesman as our first CISO to spearhead new security initiatives and pursue further certifications such as ISO 27001. Information security is a never-ending journey, and we are committed to staying the path.