Welcome to the SRP Forum! Please refer to the SRP Forum FAQ post if you have any questions regarding how the forum works.

SOC 2 Type 2 report Vulnerability/code scan reports

I asked this on the Revelation forum website, I thought I'd ask here as well. Has anyone had to respond to something like this?

A potential customer just asked for the following information. Does anyone have any idea how to respond to this? The OI application will be installed on a server on their property. Thanks in advance for any advice.

Please let me know if you can address these:
1. SOC 2 Type 2 report
2. Vulnerability/code scan reports


  • Not specifically for SOC 2 Type 2 but in general we have had cyber security questionnaires from many clients. In my opinion, the most important thing to find out is which of these security controls applies to your product since they are self-hosting it. In many cases, the client will throw out a security control plan because it is their policy, or their cyber security team requires it, but since they are hosting the product a good portion of that plan applies to their own network and not your product. For example, firewall configurations are often a security item but that normally does not apply to software. Finding out exactly what applies to your product is key to being able to answer these questions correctly.

    Regarding vulnerability and code scans, we have had those done against our public facing websites but I do not recall anyone running it against an OpenInsight product. I am sure a basic scan can be done but I am not aware of any industry standard code scans for OpenInsight.

    All that being said, I would highly recommend that you get someone who is an expert in this field so they can assist you in making sure your application is secure and follows all of the required security controls.
  • Very interesting, thanks for spending the time to respond.

    The more I think about this I think the IT guy that is asking these questions is thinking this is going to be something we are hosting for them which is not the case.
  • edited September 2022
    Jim - although a very late reply, just an FYI. SOC 2 Type 2 report(s) is a very specialized type of audit. Typically companies who store client's data, are required to be SOC II compliant. Its not just where the data sits on server, it has to do with encryption of data, where data is stored, who has access to the data, etc etc. Obviously a GOOGLE search will provide much more detail, as the "audit" or "exam" is very involved. Typically a 3rd party entity comes into the organization and audits the company for SOC II compliance. If any issues arise, the 3rd party entity will discuss and recommend solutions to the issues. At a prior employer, we did the SOC II audits annually, once completed, if a client requests a copy, we provide the report to the client, as well as, passing some of the costs onto the client. SOC II audits/exams are expensive and require a specific skillset. HTH.
Sign In or Register to comment.