UPDATE, 2/12/24: We are pleased to note that we have received our final documents for the most recent SOC-2 audit and PCI-DSS SAQ-A self-assessment, completing the 2023 audit cycle! (Wildfire clients, please reach out to your Client Success lead if you need copies of any documents.)
-----
Over the past fourteen months, our security and compliance teams have been hard at work building policy, controls, and standards to be able to provide our clients with clear documentation of our commitment to these critical Information Security programs.
We're excited to announce that we now have completed our SOC (systems and organization controls) 2 Type II audit covering the period of June 1, 2022 - November 30, 2022 and finalized our PCI SAQ-A documentation for the same period.
In this post, we'll cover some common questions we've had both internally and externally, along with letting you have a little peek under the hood of our certification processes. We're thrilled to have gotten to this point and look forward to furthering our compliance with key industry-standard programs like these and successfully reconfirming our audits each year.
What is SOC 2?
SOC is the methodology adopted by the AICPA to define "system and organization controls" that provide an indication of the security posture and process maturity of a participating organization. These controls cover a wide range of items including fraud and risk assessments, security training for employees, and code review practices within the engineering organization.
The SOC 2 framework provides a common set of basic control requirements, along with several optional control groups which can be included by the organization. The compliance team defines the evidence that will be provided to satisfy a control and an independent auditor is engaged to perform evaluation of the evidence's ability to satisfy the control, along with whether that control was operating correctly throughout the audit period.
Wildfire provided controls for the following areas of review:- Common Criteria (required for all SOC 2 audits)
- Availability
- Confidentiality
- Processing Integrity
What is PCI SAQ-A?
PCI DSS is a set of standards credit card industry merchants, processors, and handlers must adhere to in order to ensure strong protections of users' card information. To operate alongside PCI DSS organizations, we provide a self-assessment questionnaire, type A (SAQ-A) showing that we abide by the appropriate merchant-level protections to operate in a connected manner with the actual processor.
Wildfire believes attaining this certification is an important part of building trust with our clients. While the Wildfire rewards platform does not directly process any card information, the fact that Wildfire cashback products and white-label browser extension features interact with these PCI systems requires careful control of our API endpoints to ensure that any data that we do process is appropriately protected, monitored, and audited so that our systems have no way to violate PCI standards.
So... How Bad Was It?
The process was simultaneously better and worse than we imagined. If you've read Fly.io's blog on getting their SOC 2 audit completed, our team echoes a lot of their sentiment and pain points. As an engineering organization, we already had policies and protections in place to satisfy many of the more urgent controls, so we did not need a fundamental shift in how we build our white-label rewards program software.
However, we definitely had some rough-around-the-edges policies for certain topics, like official documentation for employee onboarding and offboarding (we're small enough that we don't have a lot of practice here yet!). For these, we had to spend considerable time building out policies and formalizing risk analysis, both internal and external to Wildfire.
Our audit team did a great job of working through these issues with us during our readiness assessment and helping us learn about our own deficiencies and how we can approach improving. We were pleasantly surprised by the number of times we were told that our processes (such as large-scale Infrastructure as Code, branch protection, peer review requirements) were ahead of the curve for a company our size as well!
Overall, we're grateful to have completed this round and are well-aligned internally on the effort it will take each and every year to remain in compliance and we feel we can make the process easier each year as we automate evidence gathering and streamline our policy processes.
How Do Our White-Label Rewards Clients Benefit?
If you're a prospective client researching Wildfire and our white-label cashback rewards platform, our SOC 2 and PCI documentation provides a direct representation of our commitment to securely and accurately providing service to your organization. Rather than spending weeks asking questions, these documents build a foundation of trust and assurance from which your own internal risk analysis and security teams can build.
Our yearly release of this review also eliminates some pressure on our clients, knowing that we regularly interact with a penetration test team and an independent auditor to maintain alignment with our stated control structure. These third-party analyses are incredibly important and we are committed to them from the ground up.
By the way, this documentation is now available to our existing white-label cashback rewards platform clients through their respective Client Success representatives.
How Does Wildfire Benefit?
As helpful as these new reports are for our clients, they may actually be even more beneficial to Wildfire, because our sales and due diligence processes get shortened. Plus, we also gain significant advantages within the organization.
While a SOC 2 audit does not move a poor security environment to a high security environment, it can still add weight to desired process improvements. Secure coding practices, standardized secret management and restriction of access to critical systems are things that can often be left by the wayside at a startup, but are fundamental to simplifying the audit cycle.
As we continue to evolve our security and coding practices, we can leverage SOC 2 controls and reporting to assist in gaining buy-in from the staff and executive team.
Our audit also helped our security and compliance team identify our key next steps for further securing and protecting our infrastructure. Many of these items were already on the list of "to dos," but have been accelerated due to a new understanding of their impact on the simplicity of our next audit cycle.
Finally, the process of building our policies and controls has provided a much-needed alignment across the organization on the culture and methods we intend to foster as we grow. Having a unified vision is relatively simple when there are five people involved. But when a company approaches fifty, or five hundred people, that becomes significantly more challenging.
Creating these policies now is a big step toward canonizing our beliefs and approaches.
Conclusion
Compliance is a difficult and time consuming process, but it is an important step to working with some of the largest financial institutions in the world. Wildfire is continually improving its processes to be at the forefront of our industry relative to our size. SOC 2 Type II and PCI SAQ-A are just the latest steps we've taken to show that commitment to our partners and the world.
