SaaS Vendors and SOC 2 Sharing

Kevin Qiu
May 4, 2021

Here at SafeBase we live and breathe security. Even though we are a small team of 5 and growing (we're hiring!), 3/5 of us either have security experience from past full-time security positions or from being a member of Unit 8200 of the Israeli Defense Forces.

I joined SafeBase earlier this year to be the full-time Director of Information Security to reduce the security workload from our busy engineering team and to lead our in-progress SOC 2 Type 2 audit. One of the tasks that I have been working on is a review of our numerous SaaS vendors. Most of the services that we are using are very common in the tech world, such as Google Workspace and Slack. With that being said, I decided to do a deeper dive into each of them to see if we were still comfortable with all of them from a security standpoint.

Luckily as of 2021 this can be done virtually!

As of April 2021, SafeBase team members had accounts registered either manually or via Google Workspace with 72 different SaaS services. As with many other modern software companies, the types of SaaS vendors ranged greatly and included tools that help SafeBase to:

  • Send notifications to customers
  • Perform detailed analytics
  • Scan our code for configuration issues and vulnerabilities
  • Host high quality video chats with customers and partners
  • And more!

One of the first areas I focused on when looking at these vendors was the SOC 2 report. Although a SOC 2 report is certainly not an end-all, be-all confirmation that a company has a great security program, it does provide a fairly comprehensive, baseline level of information that both prospects and current customers can reference during security reviews. In one particular case, I wanted to know where a certain vendor hosted their data, and I was able to find this information in their SOC 2 report but not from their public-facing security page.

Out of my own curiosity, I wanted to see the number of these services that:

  • Completed a SOC 2 Type 1 or 2 in the past
  • Was in the process of completing a SOC 2
  • Had no plans to complete a SOC 2 in the near future
  • Would be willing to share their SOC 2 report with me both as a paid or free tier customer
  • Required an NDA before sharing their report

Over the course of several weeks, as I did my security review for each vendor I also made sure to try to either download the SOC 2 report from the vendor's website, or to contact support. While vendors such as Microsoft and Google made the process fairly simple and self-serve, I was surprised by some of the steps I had to take with some other notable vendors.

Here are some stats on how the process went (*Note that I am still waiting on certain vendors to get back to me):

  • 26 vendors made their reports available to me. 4 made it available through self-service after logging in. The rest required me to contact customer support. Some of these email chains contained 5 or more emails before the report was given to me.
  • 19 vendors were deemed extremely low risk or tools that I decided we should sunset. I didn't ask these vendors for a report due to the lack of sensitive data shared.
  • 16 vendors did not respond to my inquiries as of writing or are still working on granting me access.
  • 11 vendors that I deemed medium or high risk had never completed a SOC 2 audit.
  • 9 vendors required a signed NDA before sharing.
  • 3 vendors applied a watermark to the report PDF.
  • 3 vendors were willing to share their report even though SafeBase was on a free plan.
  • 2 vendors were unwilling to share their report because SafeBase was on a free plan.
  • 1 vendor only made the SOC 3 available for our pricing plan. The SOC 2 required being on a higher tier.
  • 1 vendor shared the report using a view only link that blocked downloads.
  • 1 vendor was not willing to share their reports unless I upgraded to the highest tier, even though SafeBase was a paying customer.

As you can see, results were pretty mixed and every company seemed to handle these SOC 2 requests differently. I was surprised by the 4 vendors that had SOC 2 reports ready to share, but not to me due to our pricing plan. I decided to ask my LinkedIn network what their thoughts were about this.

The results of a LinkedIn poll that I conducted.

As of writing, a total of 178 users voted, and a strong majority voted "No." What's interesting is that there were several different opinions on the subject, from a variety of folks in audit, engineering, and sales.

This particular comment came from an experienced SOC 2 subject matter expert with a background in IT audit. He voted "Yes".

A comment from one of the poll responders

This comment came from a GRC manager at a SaaS company who voted "No", but did acknowledge that there can be perfectly valid reasons if the information in the SOC 2 does not apply to the security posture of the free tier service.

A comment from a separate poll responder

A final notable comment came from a CISO of a SaaS company who voted "No", and actually felt that restricting SOC 2 access can be a detriment for sales teams.

A comment from a separate poll responder

Here are some additional takeaways from my SOC 2 hunt based on both my personal experience and anecdotes from the conversation in my LinkedIn post and conversations with peers in the security space:

  • Free tier users may feel more comfortable trying out a SaaS solution as an extended trial of sorts if they receive a SOC 2 report for review. They may convert to paid users later in their user lifecycles.
  • Proactively sharing documentation such as a SOC 2 can potentially reduce the number of rows in a questionnaire, or even eliminate them entirely depending on the prospect's vendor evaluation process.
  • SOC 2 reports were not originally designed to be consumed by the general public, hence the need to sign an NDA with most SaaS vendors for access.
  • If a company does not have a self-service method to share a SOC 2, this process can often require multiple emails that are exchanged over several days, or even weeks.
  • There is not a single unified way that companies share SOC 2 reports with users. Some companies allow sales or customer support teams to share them, while others allow active users to download them via a self-service method without any human intervention.

As of this writing, I am still waiting on several vendors to either respond to my initial inquiry about their SOC 2 or to send over an NDA for me to sign before gaining access. Experiences like this are why my team created SafeBase.

Do your team members spend too much time with back-and-forth emails, outdated compliance reports, and NDAs? Check out how SafeBase can help streamline the security review process for your team and help them get back to what they do best.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.