Acupay Obtains SOC2 Type II Certification

On 30 May 2024, Acupay achieved a significant milestone by receiving our Association of International Certified Professional Accountants’ (AICPA) SOC 2 Type II certification. This certification is a testament to Acupay's unwavering commitment to maintaining the highest level of information security. Our dedication extends beyond implementing industry best practices to maintaining the Acupay Information Security Ecosystem and engaging third parties to ensure that we not only meet, but exceed, industry and client standards.

What is a SOC certification?

SOC stands for “Systems and Organizations Controls.” There are 3 types of SOC certifications: SOC 1, SOC 2, and SOC 3. SOC 1 focuses on financial controls, while SOC 2 focuses on organizational security and operations. SOC 3 certifications focus on a portion of the SOC 2 and are used when the breadth of a full SOC 2 report is not required.

Of the 3, the SOC 2 has emerged as the de facto standard in the cybersecurity industry and is a process that takes more than a year to complete. It begins with a SOC 2 Type I audit and confirms that controls supporting the Trust Service Principles are in place and adequate. The Type II audit is a comprehensive review of the previous year to determine the effectiveness of those controls, and whether a company can prove that they:

• Have established data security controls that protect their customers' data against unauthorized access.

• Can detect and respond to anomalies and security incidents throughout their ecosystem.

• Can implement repairs and restore availability to their systems in the event of a data breach or system failure.

The AICPA established the SOC 2 framework, and its purpose is to provide a regular, independent attestation of the controls that a company has implemented to mitigate information-related risk. It is centered around five Trust Services Principles, which include:

• Security

• Availability

• Processing Integrity

• Confidentiality

• Privacy

Audit Results

Acupay successfully passed its audit, with no adverse findings, which is the highest achievement in this process. This should instill in our stakeholders a strong sense of confidence in our abilities and the controls we have in place to maintain information security.

Our 2024 SOC 2 Type II audit was conducted by Marcum LLP, one of the largest independent public accounting and advisory services firms in the United States.

Importance of Third-Party Assessment

At Acupay, we believe in the importance of third-party assessments. These assessments, due to their neutral nature and the assessors' need to maintain their standing in the industry, provide us with strong and direct feedback on our adherence to the SOC 2 Type II standard. Examples of other third-party assessments we utilize include Crest Certified Penetration Testing and the Swift Customer Security Controls Framework (CSCF) Security Assessment.

Commitment to Information Security Excellence

Acupay's achievement of obtaining the SOC 2 Type II certification is another example of our industry-leading information security practices, and we are proud to be at the forefront of this standard. While we are celebrating this accomplishment, we also remain mindful that, because the SOC 2 Type II audit recurs annually, this is just another step in our journey of keeping our systems and information provided to us safe and secure.