Our Commitment to Security: Announcing SOC2 Type I

We are excited to announce that Zip has achieved SOC2 Type I. This is a significant milestone for our company and demonstrates our commitment to maintaining the highest level of security for our customers. In this post, we’ll discuss what SOC2 Type I is, what it means for our customers, how we leverage our own products to help us stay compliant, and our ongoing commitment to protect customer data.

What is SOC2 Type I?

SOC2 Type I is a popular standard for security controls and is required by many major corporations. The process verifies that a company has established and implemented the necessary controls and processes to protect customer data. SOC2 Type I is based on the American Institute of Certified Public Accountants' (AICPA) Trust Services Criteria (TSC), including five key principles: Security, Availability, Processing, Confidentiality, and Privacy. To verify that a company meets the various security controls, policies, and procedures outlined in the TSC criteria, the SOC2 Type I audit is primarily a rigorous assessment of a company’s internal processes, controls, and overall technical architecture.

What does this mean for Zip's customers?

Protecting customer data will always be our highest priority. Earning customer trust by implementing best-in-class security practices and adhering to rigorous security standards is critical to our business. The SOC2 Type I audit was an opportunity to demonstrate our commitment to security to our customers. The in-depth third-party audit of our company and systems deepens customer trust in Zip’s commitment to security and externally confirms our dedication to security.

How did our product help us achieve SOC2 Type I?

At Zip, we use our own software internally to keep all of our company devices compliant. Through the Zip Console (pictured below), we are able to automatically turn on and enforce device firewalls, properly roll out disk encryption and escrow FileVault keys, deploy and manage CrowdStrike, and more. Leveraging our product helped us automate away portions of the SOC2 audit related to securing corporate devices, saving us hours of time internally. Our product also helps us stay up to date with the many key areas of security not included in the purview of SOC2.

What else does Zip do to protect customer data?

Zip has a commitment to good security independent of the security framework used. Our engineers have previously architected systems that have achieved the highest levels of certification and authorization in the U.S. Government. We bring that knowledge and expertise to every line of code we write.

Zip has been built to be secure from first principles that translate across compliance and security frameworks. Our engineers are committed to adapting and evolving our software to protect against the ever-changing threat landscape. We will continue to invest in our security program to ensure that we maintain the highest standards of security and compliance — by all definitions — for our customers.

‍