At DocuPipe, we quickly learned that almost every document is Top Secret. If you think about it, most documents contain personally identifiable information, financial information, or facts that you may not want to share with the world. Even something as humble as a rental lease or an invoice is pretty much always best kept secret - let alone legal or medical information. For that reason, information security has been core to our machine since day one.

We chose to submit ourselves to the most rigorous external audits to further establish the trust required to earn your trust with Top Secret information. So I'm very happy to announce that DocuPipe is now SOC 2 Type II and ISO 27001 compliant. Both in readying for the audit and in maintaining a tight security posture afterwards, we chose Vanta as an ongoing security monitoring solution.

We're pleased to report that the audit period recorded no breaches and no material exceptions, and separate penetration tests found no critical vulnerabilities. But we still gained from this process. In readying for the audit, we established procedures around data security, prompt reporting, and vulnerability scanning. We also hardened our operations: establishing tight controls and well-defined processes around granting and revoking access to privileged roles in the organization, making sure our test and development environments are kept separate, and establishing mandatory trainings on data security for our organization.

An often-overlooked aspect of SOC 2 and ISO compliance is reliability. In readying for the audit, we identified some processes that could be monitored for early warning signs of failure to deliver a stable service. For example, automatic testing has identified some load balancers that can be monitored for increased latency and trigger earlier scaling response. We also improved CPU utilization monitoring and our cloud-wide logging solution to make sure we can investigate any error or outage. We have also moved all of our cloud resource configuration to Infrastructure as Code (IAC), allowing for more consistent and reliable deployments.

Onwards and upwards. Head on to our Trust Center to read more about our security practices, request our formal security reports, and learn more about our controls and policies.