Turso completed SOC2 Type II compliance with zero issues

Turso's SOC2 audit is now complete. And we passed with flying colors!

Cover image for Turso completed SOC2 Type II compliance with zero issues

As a provider of managed databases meant for production workloads, it’s very important that Turso customers have confidence that we have best in class security and compliance practices. So we’re proud to be able to share that we completed SOC 2 Type II compliance with zero issues.

The “zero issues” part is important because it’s not common, and it further underscores our commitment to running our business in a way our customers can have confidence in.

#About SOC 2 Type II

For those unfamiliar with SOC 2 Type 2, it confirms that everything we do regarding information security - our policies, controls and procedures - all meet the SOC2 security standard data management and security requirements. This is all audited by a 3rd party that conducts an extremely in depth, months long evaluation of the company and is empowered to certify whether we qualify.

Many companies that handle mission critical production workloads, which is the bread and butter of our business, would not be able to select Turso as a vendor without it.

#How Turso Qualified

Congratulations to Turso for successfully completing SOC 2 compliance with zero issues! It's a testament to their unwavering commitment to security and transparency. With the SOC 2 report, they're showcasing their strong controls and processes, earning trust and respect. Bravo to the team!

-- Steven Miller, Johanson Group

We are a very small team, moving at breakneck speed. For us, keeping our velocity was the number one priority. Some of us in the team had done SOC2 before in other companies, and were initially terrified of the prospect.

It is safe to say that without the help of Vanta, a company like ours, who cannot afford dedicated personnel would not have achieved the SOC2 attestation. At least not without grinding to a halt.

Vanta automates a lot of the process. It will integrate with tools like Github, AWS, Linear and others, and makes sure that your controls are passing. Apparently, Vanta had their start by doing SOC2 checklist spreadsheets, and it is easy to see how that was already disruptive: even finding out all the things you have to do can be quite daunting, and the system will constantly inform you how far you are from completing all items and what is left to be done.

#Costs

The SOC2 attestation can be quite costly, and once you receive your attestation you will incur those costs every year. The main costs for us were:

Vanta: That is a recurring cost, that we will be gladly paying every year. Those costs include keeping https://trust.turso.tech online and up-to-date. Auditors: The audit period takes 3 months, and the auditors will not, of course, do their job for free. Pentesters. One of the mandatory items for SOC2 is that a pentest has to be done yearly. The silverlining is that if you work with a reputable firm, this is not just a checklist cost: they really find issues and will help you improve your processes. We have worked with Doyensec, who we strongly recommend. However, the cost for this is based on the number of API calls that they have to test. For products with a large surface area, this can become a very large item. A security consultant: on top of the Vanta cost, we have decided to retain a security consultancy that would help us through the process.

#Working with a security consultant

One of the main benefits of working with a security consultant, especially for our first year, is that the SOC2 process is slightly different for every company. Some items may not apply to you at all, or you may believe that not doing them will not improve your security practices substantially. It is your job to tell the auditors that you shouldn’t follow that process, and why. But it is up to the auditor to accept or not. They may simply disagree with your assessment.

An experienced security consultant has done hundreds of those attestations before, and has a better sense of the perceived importance of the security items by the auditors. Vanta will not tell you that - it is not their responsibility - and will only say that a specific item is tied to a specific SOC2 control.

As an example of an item we skipped, we have decided not to implement a bug bounty program. Our fear was that by opening such a program, we would be flooded with fake reports from unskilled developers just trying to make a buck, and our team would not have the capacity to process them. After AI became a thing, you can multiply this concern by 100.

We have also skipped items related to the physical network, since we don’t manage one, and decided not to implement any control related to handling of removable media, opting instead to disallow the use of removable media altogether (which in 2024 is very easy to do)

#A surprising amount of manual work

Quite a few things surprised us, one of them being how much manual work is still required, even when using a platform like Vanta. Some of that manual work, I believe, will apply to everyone seeking the SOC2 attestation. As an example of that, we now maintain a spreadsheet with access requests by everybody in the company, which can become quite tedious when someone who usually doesn’t work with our frontend, for example, just needs to deploy something to Vercel really quickly. From the principle of least privilege, only the people that deal with our frontend directly should have access to Vercel, and every other access is requested, justified, and logged.

But some of the manual work will be company specific. If you are using any tool in your stack that doesn’t have integration with Vanta, then you have to provide the proof of your processes the old fashioned way. As an example, Fly.io does not have an integration with Vanta, and the Cloud Provider is one of the things that show up in a lot of controls.

#Conclusion

SOC2 is hard, but worth it. If you’re a developer you just want to know whether you can use the product to solve our problem with confidence, and if you’re a business decision maker you just want to know if you can trust the platform. We hope that whichever you are - or if you’re both - SOC2 Type II certification goes a long way towards answering that question.

Learn more about Turso security at https://trust.turso.tech and try Turso for free today at https://turso.tech

scarf