Introducing Fauna’s SOC2 Certification
As a provider of a cloud-native data API, customer data protection and privacy has been our top priority from day one. Over the past year we have doubled down on this commitment by reviewing and improving our internal controls across the board, from our people management to the way that we release software to our application code and production environments.
Earlier this year we committed to an external audit of these controls and we’re pleased to share that Fauna’s first SOC2 Type1 report detailing implementation of the framework prepared by auditors Sensiba San Filippo is available upon request. The report complements our work to comply out-of-the-box with the requirements of the EU General Data Protection Regulation (GDPR) and other global regulatory regimes.
Why SOC2?
Although we drew on several frameworks while developing our security program, we chose the SOC2 approach for our first external audit due to its focus on data protection and privacy, and applicability to organizations (like Fauna) that process customer data.
As a company based in the United States, using a compliance framework developed by the American Institute of Certified Public Accountants for companies providing global services meant we had ample resources to guide us through this process.
SOC2 Scope
What was included in the audit? At a high level Fauna was assessed on the themes of Security, Confidentiality & Availability for the technical infrastructure and company processes required to produce and support the Fauna service.
Among the areas our auditors examined were:
- Change management
- Updates to the database, UI and API are linked to documented requirements and merging of new code requires peer review.
- Secrets management
- Encryption keys, passwords and other secrets are stored securely in access-controlled vaults with permission granted for need.
- Metrics-based alerting
- Operational performance of database infrastructure feeds near-real-time dashboards and alerting systems .
- Server-based security monitoring
- Host-based agents on database hardware alerts the security team on a range of events, including unusual outbound connections, anomalous authentication events, and suspicious server processes
- Hiring, onboarding & offboarding processes
- The People Team ensures the skills and talents of new hires fit the requirements of each open position, conduct screening during the hiring process, request appropriate accesses based on role, and are responsible for confirming these accesses are removed when personnel leave the company.
- Access controls
- The security team grants access to company resources based on role and reviews these accesses on an ongoing basis.
- Vulnerability management
- Fauna conducts regular 3rd-party penetration tests and receives vulnerability reports from independent security researchers on an ongoing basis. Security bugs are remediated by priority and tracked to resolution.
For more details about Fauna’s data protection and privacy practices, we have a lot more details as well as a new whitepaper on our security best practices on our new trust page!
What’s Next?
We are continuing to deepen our commitment to ongoing external audits and have begun the SOC2 Type2 audit period for a rigorously-tested external examination of the controls presented in our current Type1 report. In addition, we continue to align our internal controls with the ISO27000 series frameworks.
Learn More
Fauna has built a secure and reliable database on a comprehensive externally-audited framework. Interested in discussing our audit report or require a copy as part of an evaluation of Fauna? Get in touch here.
If you enjoyed our blog, and want to work on systems and challenges related to globally distributed systems, serverless databases, GraphQL, and Jamstack, Fauna is hiring!
Subscribe to Fauna's newsletter
Get latest blog posts, development tips & tricks, and latest learning material delivered right to your inbox.