According to a Comparitech study from January 2025, over 195 million pieces of data have been compromised as a result of ransomware attacks in the past year.

Companies – handling every day an astronomical amount of confidential data belonging to their customers, or their customers’ customers, – are obviously the major target of these cyberattacks.

So, on what basis can trust be established when delegating the management of confidential data to a third-party company? The answer lies in an obscure acronym: SOC 2 Type 2, an international security certification based on tangible proof. No blah, blah, blah – just concrete.

By Anna Larrouy

SOC 2 Type 2: a solid security certificate

Simply put, SOC 2 Type 2 is a certificate that confirms a company’s ability to store and protect data, over the long term and against any modification. Traditionally, SOC 2 Type 2 certification has been aimed at medium-sized and large companies providing technology or data processing services, in particular cloud service providers, who handle, store or process sensitive data on behalf of their customers.

Today, however, a number of small companies, such as TechNuCom, are gaining access to this certification, in order to be able to manage customer data serenely as part of ERP and CRM implementation projects.

SOC stands for System and Organization Controls, and was developed by the American Institute of Certified Public Accountants (AICPA). It is a highly rigorous audit carried out by an independent firm, based on 5 principles of trust:

• Security: protect systems against unauthorized access. In other words, being able to withstand a cyber attack is the first criterion for certification.
• Availability: keeping the system functional and accessible at all times.
• Processing integrity: process data accurately, without errors or bugs.
• Confidentiality: protect access to sensitive data.
• Privacy: collect, store and use personal data in compliance with applicable regulations.

Becoming a SOC 2 Type 2: a long and demanding process

Unlike the Personal Information Protection and Electronic Documents Act, SOC 2 Type 2 certification is not legally binding. The process of obtaining it, however, is a real obstacle course.  It often mobilizes the entire team and requires special training.

The company begins with a preparation phase, during which it analyzes its systems. What are the weaknesses? What security procedures are missing? This is the stage when the rules of the game are defined, the necessary controls are chosen, and a great deal of time is spent rethinking the entire organization.

The next phase is the observation period. Generally lasting 9 to 12 months, the controls must be documented on an ongoing basis to serve as evidence for the next stage: the audit. Nothing is left to chance: every procedure, every action, every measure must be provable.

At the end of these long months of observation, an independent firm of chartered accountants analyzes this evidence, questions the company and carries out a series of tests. These include, of course, the penetration test, which simulates a cyber attack. During this phase, the firm performs a real goldsmith’s job, analyzing and testing everything down to the smallest detail. A confidential report is then drawn up, summarizing all the tests carried out for certification purposes.

Once the quest for the Holy Grail is over… we start again. After all, the report is only valid for one year. The process, in all its complexity, must therefore be repeated every year to maintain certification.

SOC 2 Type 2: an indicator of the level of discipline

For customers of companies with this certification, it’s a guarantee that their data is stored, treated confidentially, and protected against potential leaks. So it’s no coincidence that SOC 2 Type 2 certification has become an almost systematic requirement for government agencies and major private-sector clients.

The process of obtaining SOC 2 Type 2 certification is particularly complex, and is proof of seriousness and rigor. And for an SME, it means being part of a minority of organizations that have chosen to go beyond the regulatory minimum.

SOC 2 Type 2 certification also means greater transparency and efficiency in the supplier selection process. Rather than multiplying audits or technical exchanges, everything is summarized in a report – which centralizes as much as it clarifies processes – and whose credibility rests on the independence and methodological rigor of the auditing firm.

Last but not least, the need for annual renewal forces companies to maintain their data security standards and constantly adapt to new threats. As an Odoo integrator, TechNuCom was proud to obtain SOC 2 Type 2 certification for the 3rd time in 2025, and is now preparing to do so again in 2026.