uPerform has completed its fifth SOC 2 exam. Here’s what that means for you.

January 8, 2024
by Caitlin McVeigh-Gagnon

Blog PostEnterpriseHealthcaregolden shield sits just out of line from a row of dark colored shields.

uPerform recently announced the completion of our latest SOC 2 examination. But what does that mean for us as an organization—and for you as our client?

At uPerform, keeping your data secure is our top priority. To ensure that our systems and controls have been designed appropriately to achieve that goal, we seek out third-party attestation from a qualified auditing firm each year. Our latest SOC 2 report is the result of their most recent examination. In this article, we’ll explain what a SOC 2 report is, what it covers and why we chose to undergo this rigorous compliance audit annually.

What is a SOC 2 report?

Obtaining a System and Organization Controls (SOC) 2 report is one way for a service organization to attest to the security of its digital environment. Completing a SOC 2 examination through an accredited third-party auditor does not result in any certification. Instead, the resulting CPA’s report functions as a tool to help an organization communicate whether the internal controls they’ve put in place governing the security of customers’ and partners’ data are properly designed, implemented and maintained.

In simpler terms, a SOC 2 report provides an avenue for current and potential stakeholders to assess risk by giving them a closer look at the policies and procedures put in place to ensure the organization’s services are provided safely and reliably.

What does a SOC 2 report cover?

All SOC 2 examinations are performed by accredited CPA firms under the standards defined by SSAE 18. An auditor tests the effectiveness of the internal controls outlined by the organization, then maps those controls to one or a combination of Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA).

In our case, those criteria include:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.

The scope of a SOC 2 report can also vary with regard to the time period covered. SOC 2 Type II reports examine controls over some time, usually between three and 12 months, and include both a list of the controls tested as well as the auditor’s test results. The reporting period for uPerform’s latest SOC 2 report spanned from November 1, 2022 to October 31, 2023.

Why did we undergo a SOC 2 exam?

Completing a SOC 2 examination marks a huge step forward in uPerform’s efforts to demonstrate our commitment to data security and ensure that we’re prepared to face the challenges of the ever-changing cybersecurity landscape.

“For five consecutive years, our SOC 2 reports confirm our steadfast commitment to maintaining top-tier security, availability and confidentiality controls at uPerform” said Brian Anderson, Chief Information Security Officer (CISO). “This ongoing dedication reinforces client confidence, assuring them of our unwavering commitment to upholding the highest security standards and delivering exceptional service quality.”

Where can I go for more information?

Current and prospective clients interested in obtaining a copy of uPerform’s latest SOC 2 report may submit a request at https://www.uperform.com/contact. Our auditing partner, BARR Advisory, has provided a detailed breakdown on how to read a SOC 2 report, including where to find the most important and relevant information for your situation.