Compliance Technical certifications comply with industry standard requirements. Vendors should be able to provide a comprehensive compliance program with certifications and attestations. Standard Occasional Unique Privacy policy SOC 2 Penetration testing Privacy policies are standard for most vendors The American Institute of Certified Public A vendor can and should undergo regular and assure customers that data will be held Accountants (AICPA) Service Organization penetration testing by independent third parties privately in almost all situations. Controls (SOC) reports give assurance over control to ensure that their platform is secure. environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality, and security of customer data and are issued for 6-month periods each year. The SOC Type 2 reports cover controls around security, availability, and confidentiality of customer data. Regular SOC 2 audits are conducted by an independent, third-party auditing firm. You should be able to contact a vendor to request the latest copy of their SOC 2 audit. 34