System and Organization Controls (SOC)

System and Organization Controls (SOC) are a series of standards designed to help measure how well a service organization conducts and regulates its information. The SOC framework provides assurance regarding the controls at service organizations related to various aspects like security, privacy, and confidentiality.

Dataddo System and Organization Controls (SOC) reports are generated by independent third-party auditors. They provide detailed information on how Dataddo aligns with key compliance controls and objectives.

SOC Reporting Frameworks

SOC reports are essential tools that provide organizations and their stakeholders with assurance regarding the effectiveness and design of the controls relevant to the security, availability, and processing integrity of the systems the organization uses to process users' data, as well as the confidentiality and privacy of the information processed by these systems.

The SOC reporting framework was developed by the American Institute of Certified Public Accountants (AICPA) and includes several types of reports:

SOC 1

SOC 1 reports focus on the controls at a service organization that may impact their clients' financial reporting. They are typically relevant for audits of financial statements where the service organization's services are relevant to internal controls over financial reporting.

SOC 1 reports are divided into Type I and Type II, where Type I reports on the suitability of the design of controls at a specific point in time, and Type II reports on the effectiveness of these controls over a period.

SOC 2

SOC 2 reports are designed to provide insights into the controls at a service organization based on the Trust Service Criteria. Like SOC 1, SOC 2 reports can be Type I or Type II.

• Type I: Measures policies and procedures that are in place at a specific moment in time.
• Type II: Measures the effectiveness of policies and procedures as operated over a specified time period, with a minimum of six months.

SOC 3

SOC 3 reports are a public-facing summary of the SOC 2 report and provides a general overview of the service organization's controls without the detailed and technical information contained in SOC 2 reports. It serves as a general assurance of compliance and security for stakeholders who do not require the detailed information in SOC 2 reports.

Dataddo SOC 2 Type II Report

The Dataddo SOC 2 Type II report is the result of an independent audit conducted by a third-party auditor that examines the effectiveness of Dataddo's security controls over a specified period of time, with a minimum of six months.

The report describes Dataddo’s security controls for Dataddo platform, and examines the suitability and effectiveness of those controls to meet the AICPA Trust Service Principles. It provides an independent assessment of how well Dataddo Cloud manages data with respect to security, availability, and confidentiality.

For Dataddo, SOC 2 Type II compliance is not just a certification; it's a core aspect of our commitment to data integrity and security. This compliance ensures that our processes and services are designed with the highest level of security and reliability, directly impacting how we manage and protect our customer's data. By adhering to SOC 2 Type II standards, we reinforce our dedication to maintaining a secure and trustworthy environment for our users' data.

SOC 2 Type II Principles and Criteria

Principles

The principles of SOC 2 Type II, based on the five Trust Service Principles, guide our daily operations and strategic decisions at Dataddo:

• Security: Robust security measures are implemented to protect against unauthorized access and data physical and logical breaches.
• Availability: Our systems are designed to be available and operational, meeting the agreed-upon service levels.
• Processing integrity: Data processing at Dataddo is accurate, complete, timely, and authorized.
• Confidentiality: Sensitive information is confidential, accessed only by authorized individuals, and is protected throughout its lifecycle.
• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles.

Other Criteria

Apart from the SOC 2 principles, Dataddo is further committed to compliance with the following standards:

• General Data Protection Regulation (GDPR)
• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001
• Health Insurance Portability and Accountability Act (HIPAA)
• California Consumer Privacy Act (CCPA)
• General Data Protection Law (LGPD)
• Protection of Personal Information Act (POPI Act)

FAQ

Which Dataddo services are in the scope for the SOC 2 Type II report?

The scope of the SOC 2 Type II report includes all services provided by Dataddo.

Who performs the independent 3rd-party audit of Dataddo for SOC reports?

BDO Czech Republic performs the Dataddo SOC 2 audits.

How frequent is the Dataddo SOC 2 Audit and what is the Reporting Period?

The Dataddo SOC 2 Type II report covers the period from March 1, 2024 to May 31, 2025. New reports are released annually.

Is an NDA required to review the Dataddo SOC 2 Type II report?

Yes, you will be required to sign an NDA to access the report.