At Drieam, we know how essential information security is for your institution. Therefore, Drieam recently subjected itself to a stringent data security audit by an independent auditor. In order to ensure our information security measures are of the highest standard – we have been audited by the IT audit company. As of now, we are delighted to meet the highest information security standards available for SaaS companies as we have been awarded the SOC Type II Certification. But what does this mean for your institution in practice?

What is SOC2 based on?

SOC stands for Service Organization Control. The SOC 2 Type II examination demonstrates that an independent accounting and auditing firm has reviewed and examined an organization’s control objectives and activities. Next, those controls were tested to ensure that they are operating effectively.

SOC 2 is based on Policies, Communications, Procedures and Monitoring. The specific Trust Service Principles explained below must be met in order to successfully achieve certification.

  • Security: The system has controls in place to protect against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely and authorized.
  • Confidentiality: Information that is designated as “confidential” by a user is protected.
  • Privacy: Personal information is collected, used, retained and disclosed in accordance with the operation’s privacy notice and principles set by the American Institute of

Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
What is the difference between a Type I and Type II report?

In short, there are two levels of SOC compliance:

Type I describes systems and whether their design is suitable to meet relevant trust principles. The Type I report is preliminary to the Type II report and is based on the ability to test and report on design. Type I reports are issued to organizations that have audited controls in place, but have not yet audited the effectiveness of the controls over a period of time.

The Type II report is issued to organizations that have audited controls in place and the effectiveness of the controls have been audited over a specified period of time. Organizations are checked for at least 6 months after Type I.

Why is it important that Drieam has the Type II report?

To get the Type II certification, an organization’s internal control policies and practices must be thoroughly examined by a third party over a specific period of time. This means that Drieam has been inspected by the IT Audit company for almost a year. During the review process, the company had to ensure that Drieam met the stringent requirements set forth by the AICPA and CICA. When trusting an application with highly sensitive and confidential information, such as passwords, documents and secure images, obtaining high-level certification is imperative.

Thanks to the SOC2 audit and certification process, you can now be confident that Drieam has access control procedures in place and we are fully trusted with highly confidential information. You can request our SOC 2 Type II report, though it is for limited distribution.

To request the SOC2 Type II report, please visit the respective trust portals of Eduframe, Portflow or Qualtrics LTI.