What do you need to know?
- Firmex achieved SOC 2 Type 2 compliance following an independently-conducted audit.
- This attestation exemplifies Firmex’s commitment to safeguarding all information within our virtual data rooms and providing our clients with privacy and peace of mind, so they can focus on getting deals done.
- Firmex Virtual Data Rooms are equipped with SOC 2 Type 2-compliant robust security measures, ensuring that your data will be safe.
Committing to security for every transaction
When you’re conducting due diligence on a potential acquisition, sharing IP with investors, or undergoing an audit, you want your data to be securely stored throughout the process. Firmex prioritizes this in our virtual data rooms, which are equipped with robust security measures to keep your data safe.
The need to secure confidential information has led to a surge in data protection software. Advanced technology can help organizations identify threats sooner, but it can also help cybersecurity threats grow in volume and sophistication, reacting just as quickly to new security systems. During M&A transactions, cybersecurity breaches can lead to a lower deal value, a tarnished reputation, legal and financial ramifications, or an altogether abandoned deal.
To ensure data security throughout all stages of a transaction, companies are using purpose-built virtual data rooms equipped with robust security and precise permissions settings. Generic file-sharing services lack the same security features and are at a much higher risk of data breaches.
As the most-used virtual data room, Firmex is the platform where more diligence, deals, and compliance get done, and we want to ensure that all of our clients can have confidence in our secure data rooms. SOC 2 attestation affirms this commitment, certifying that our security measures are best in class.
“Along our continuous journey to provide a secure data room service experience, Firmex is proud to announce the completion of our annual audit and the availability of our SOC 2 compliance report,” said Glenn Attridge, vice president of technology at Firmex. “This achievement reflects our ongoing commitment to maintaining the highest standards of security, confidentiality, and availability for our clients.”
This isn’t the first time we’ve received a SOC 2 attestation. Since 2014, we’ve been working hard to gain this seal of approval – but why? What makes SOC 2 so important for a virtual data room provider?
What is SOC 2? Why is it important?
SOC 2 is a voluntary compliance standard developed by the American Institute of Certified Public Accountants (AICPA). Pronounced “sock two,” this compliance standard provides organizations with Trust Services Criteria (TSC), which are used to evaluate their internal controls for managing and securing data within their care.
The TSC includes five criteria:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
Security is the mandatory criterion for SOC 2 compliance. If an organization’s security passes a SOC 2 audit, then that means it’s airtight for both its business and its customers, which can include access control, vendor management, system backups, disaster recovery, and more.
This year, Firmex has received SOC 2 attestation for security, as well as for availability and confidentiality. The availability criterion ensures that systems are available and data is accessible to the user, while confidentiality ensures that information defined as confidential within the system is protected.
The SOC 2 audit is conducted by a third-party accounting firm to ensure objectivity. It occurs after the organization has conducted a readiness assessment, which can help them determine any gaps within their existing controls. After any adjustments are made, the organization must then continuously monitor its controls and make improvements to address new threats.
The audit itself involves the accounting firm evaluating the organization’s data security, procedures, and controls across operations. It’s a rigorous test, designed to find any vulnerabilities it can within the organization’s safeguards.
There are two different types of SOC 2 audits, each with its own attestation.
- SOC 2 Type 1 – Assesses the security controls of an organization at a fixed point in time.
- SOC 2 Type 2 – Assesses the security controls of an organization over a longer period, typically from six to 12 months.
At Firmex, we’ve been achieving SOC 2 Type 2 compliance since 2019, and this year is no exception.
Re-attestation for SOC 2 Type 2 isn’t automatic. Each year, we undergo a new audit performed by an independent accounting firm. This year’s report had zero findings, demonstrating a perfect result. This clean report means we aren’t just keeping pace with compliance requirements; we’re actively verifying that our controls remain robust in a changing risk environment.
Look for SOC 2 attestation when choosing your virtual data room
Cybersecurity is an issue top of mind in M&A transactions. With cybersecurity threats growing both in volume and sophistication, safe data storage is a critical issue, particularly during crucial moments in due diligence, litigation, and other processes.
A virtual data room may offer promising features or an enticing price, but it also needs to provide proper security controls to be an effective tool. When browsing providers, consider the following questions to ask:
- Is the VDR provider SOC 2 compliant?
- Is the SOC 2 attestation Type 1, evaluated over a point in time, or Type 2, evaluated over a long period of time?
- How long has the provider been compliant?
- Have they been consistent in compliance?
Asking these questions can give you the full picture of a provider’s security compliance, not just a polished top-level pitch. It will also reveal how dedicated they are to providing a secure platform for confidential documents. If a provider is SOC 2 compliant, then you’ll know this is a trustworthy organization that will deliver on its promise of securing confidential information.
With that assurance, you’ll be able to use your virtual data room to focus on what matters most: getting deals done.
Security compliance may seem like a boring or repetitive topic, but as the regulatory and cybersecurity landscape continues to evolve, these attestations will be key signifiers of trust and safety. In the coming years, Firmex will continue investing in security and compliance to ensure our virtual data room remains a trusted, world-class platform.
If you’d like to learn more about how Firmex protects your data or see our security standards in action, please visit our security page.