hCaptcha has been under the SOC 2 Type II audit regime for some time. Here are some lessons we learned along the way.
There are dozens of competing standards bodies and certifications in the security arena, but perhaps the most widely accepted is SOC 2 Type II.
This certification process includes a detailed examination of your compliance with a number of so-called Trust Principles, the most important of which is Security. The process is performed by an independent auditor (who must be certified by AICPA) and includes expert review and validation of policies, procedures, controls, and historical documentation to confirm your compliance. It also includes separate security audit requirements.
hCaptcha has been under the SOC 2 Type II audit regime for some time and recently completed its latest SOC 2 Type II certification with zero findings, i.e. deviations of any kind from adopted policies and controls.
In practice, this means that each year we undergo a rigorous external audit to validate that our internal controls met SOC 2 standards and that these controls were in fact followed over a long period of time. Not every online service does this, and it underlines our commitment to providing users with a secure and private online experience.
Advice for Other Companies Getting a SOC 2 Type II Certification
As a security-focused company, you might assume we had to do relatively little work in order to prepare for a SOC 2 Type II audit. In an operational sense, this was true: we maintain strong internal security controls, receive regular external security audits, and have a long track record of real-world success in this area. This meant we found no material changes required in operational controls during our internal pre-audit review.
However, maintaining strong operational controls is very different than proving you both have policies that comply with SOC 2 standards and have followed those policies consistently for a long period of time.
It can take many months to analyze, adopt, and validate policies defining all of the things you already do, determine whether you need to add any policies, controls, or documentation, and then choose strategies to generate and manage the reams of paperwork required in a formal audit to prove your compliance at any moment in time.
If you are tackling this process for the first time, we recommend that your first step be to hire an internal compliance lead who has gone through SOC 2 and other audits before. This should include designing policies and processes from scratch that closely align with traditional audit wording, rather than simply maintaining existing ones.
One major difference is documentation: you will almost always find you need to add more processes that document who did what, when they did it, and who approved it. Keeping these low friction is critical for maintaining productivity as you add more and more such controls.
Maintaining ongoing compliance and creating the records required to prove it should be automated as much as possible to avoid creating drag on your teams. Platforms like Vanta, SecureFrame, and KnowBe4 can help, but more privacy-focused organizations (like hCaptcha) will tend to end up with their own customized solutions, which is more expensive but allows complete control over data storage and retention policies.
Finally, the very best strategy we can recommend is to simply minimize your collection and retention of data in the first place! Because hCaptcha has an unusual edge-focused and privacy-first architecture, it simply never receives or stores most of the data other services like Google rely on in order to solve the same problems.
Our goal has always been to meet the most stringent data processing standards around the world, and our SOC 2 Type II certification lets you know that an expert outside party has confirmed the methods we use to secure the hCaptcha service meet or exceed industry standards. Organizations who value privacy or are seeking to comply with global privacy laws like GDPR, LGPD, CCPA, PIPL, and CalOPPA, can rest assured that hCaptcha has been fully vetted and approved by external auditors.
hCaptcha is also Fully WCAG 2.1 and Section 508 compliant to ensure accessibility to clients and end-users with disabilities, with a VPAT available to Enterprise customers.
A Service Organization Controls 2 (SOC 2) report is also available to Enterprise customers. If you’d like a copy of this report, please reach out to your sales representative or send us an inquiry.