We are proud to announce the completion of our SOC2, Type 2 audit which is an independent verification of our system and of our security controls, designed to give our clients confidence that we will keep their data secure, available, and confidential.
In 2021 we completed our SOC1, Type 2 audit, and now have completed our SOC2, Type 2 as well. We believe that the combination of SOC1 and SOC2 audits is essential to give our clients maximal confidence in our system as they entrust us with not only their critical data but also their financial calculations and reports.
Our stance on security
AppFolio takes security incredibly seriously and from our inception we have designed a system with security top of mind. From how we develop software, to the software packages we rely on, to the vendors we work with, security is a foremost concern. We know that our clients’ trust in our system is everything — that all of the great, time-saving features we offer are not going to matter if they can’t trust us to keep their data safe. It’s why we conduct regular security audits of the system and why we pay security researchers to try to find vulnerabilities before hackers do. It’s why we have invested the time and energy to complete our SOC2 audit.
AppFolio chose to pursue both SOC1 and SOC2 Type 2 audits to give our customers and partners maximal confidence in our system. We decided to spend the time and energy on Type 2 audits because we didn’t believe that our customers should rely on Type 1 audits. We chose to do both SOC1 and SOC2 due to the nature of our system, requiring confidence not only in security and availability but also in financial reporting.
An overview of the certification
SOC stands for System and Organization Controls, which are a set of standards designed by the American Institute of Certified Public Accountants (AICPA). They intend to help measure how well an organization controls and safeguards data for its customers and partners. SOC audits have emerged as the de facto standard in the US for independent verification of software providers.
SOC1 audits have a financial focus. They help a service provider like AppFolio examine and report on its internal controls relevant to its customers’ financial statements. A SOC1 audit covers controls around processing and securing customer information, spanning both business and IT processes. SOC1 reports are often used by external auditors, helping them understand the effect of a service provider’s controls on its customers’ financial statements.
SOC2 audits have varying criteria but are generally focused on security. They examine and report on a service provider’s internal controls relevant to security, availability, processing integrity, confidentiality and/or privacy of customer data. The security criteria is required in a SOC 2 audit, but a service provider can choose which of the other criteria are appropriate for the nature of their system and operations. AppFolio chose security, availability, and confidentiality due to the nature of our system and services. SOC2 reports are often used by prospective customers to help understand a service provider’s security and compliance practices.
Both SOC1 and SOC2 have Type 1 and Type 2 audits. Type 1 audits are a point in time audit where the auditor examines the organizations’ controls at a specific point in time and comments on their effectiveness. Type 1 audits are less rigorous because they do not test whether the controls were adhered to over time. Type 2 audits are more rigorous and report on an organizations’ controls over a period of time. Type 2 audits require multi-month observation periods where auditors test whether controls were adhered to over time.
As partners to the investment management industry we understand the importance of ensuring top-grade security for our customers, and are happy to deliver on that promise with this updated certification.
You can learn more about AppFolio Investment Manager and the secure tools we provide to general partners here.