Published

SOC 2 Report Available

We're excited to achieve SOC 2 Type II compliance.

By in Product Updates

We are excited to announce that On-Call Optimizer has achieved SOC 2 Type II compliance!

This achievement provides third party validation of our commitment to security & compliance and demonstrates the value we place on achieving and retaining our customers’ trust.

What is SOC 2 & Why is it important?

SOC 2 or Service and Organization Controls 2 is a framework that is governed by the American Institute of Certified Public Accountants (AICPA). With a SOC 2 audit, an independent service auditor will review an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC 2 report communicates a company’s commitment to data security and protection of customer information.

SOC 2 compliance demonstrates our commitment to earning and retaining our customers’ trust and is a major foundation of our overall security posture. By undergoing a SOC 2 audit, our controls and processes were validated by a third-party who attests to the functioning of the controls relevant to On-Call Optimizer.

Accessing the report

To view our SOC 2 report, please visit our trust center and request access.

From the trust center you can also access related information such as penetration testing reports.

Why we pursued SOC 2 now

SOC 2 compliance is an integral step in proving to customers, stakeholders, and interested parties that an application values their trust and has effectively implemented security controls.

Small companies and startups are typically advised against pursuing SOC 2 compliance due to the perceived burden of implementing security controls. However, following this advice means giving up on larger customers who require SOC 2 compliance as a baseline for purchased services.

On-Call Optimizer’s flexible scheduling and hassle-free swaps benefit teams of all sizes, but a significant portion of our existing and target customer base are indeed large businesses where SOC 2 compliance is required, so I was not willing to accept that advice.

My experience and background building and operating large mission critical applications from my work with Google and other large companies provided the capability to make SOC 2 compliance a primary requirement of On-Call Optimizer’s architecture and how MKMBA Limited works from day zero.

Achieving SOC 2 compliance at this unusually early stage in On-Call Optimizer’s product journey provides a significant strategic benefit in how On-Call Optimizer is positioned and sold.

We’ve demonstrated our commitment and ability to meet enterprise security requirements while retaining the flexibility, speed, and efficiency advantages of being small and nimble. This unique position enables On-Call Optimizer to offer a transformative improvement to the on-call experience compared to existing solutions.

Key lessons and takeaways

The overall process of achieving SOC 2 compliance was straightforward and required only a modest additional time commitment on top of work that was already planned. A lot of the discussion and commentary you hear about how hard and how much effort SOC 2 compliance requires comes from companies and applications which have been built without the necessary controls and security policies in mind from the start.

Retrofitting and backfilling requirements may certainly be a toilsome process, but for On-Call Optimizer and MKMBA Limited, the vast majority of what was required to fulfil the controls felt to me like sensible, baseline, common-sense security and operational practices that I would been unhappy not to have in place regardless or whether or not SOC 2 compliance was a goal.

  • Compliance tooling is worth the investment. I initially started the SOC 2 journey using a free product which looked promising, but turned out to be slow, hard to use and inflexible, requiring use of hard-coded policies and processes. After that experience, it was easy to see why so many companies go with Vanta. The integrations worked nicely and saved a lot of time in pulling in check results and data from our production systems, and the flexibility to fully customize and import your own policy wording is great.
  • Keep your policies simple. So much of the SOC 2 process comes down to the policies you adopt and your ability to follow and execute them reliably. Tailscale provides some great examples and combined with Vanta’s templates and the guidance of our consultant (see next point), we were able to put together short, easy to understand and therefore easy to follow and adhere to policies in no time at all.
  • A little expertise goes a long way. After my initial stumbles trying to go it alone with the free product, I realized that guidance from an expert would be wise and engaged Advantage Partners to provide pre-audit consulting which significantly sped up the process of gaining confidence that we had everything in place to begin the audit window.

From engaging Advantage Partners and onboarding into Vanta to concluding our 3-month audit window and receiving our Type II report took six months which included at least 3-4 weeks of very minimal effort on my side over the Christmas/New Year period and only very occasional commitments of time during the observation period itself from Apr-Jun.

What’s next?

With our initial SOC 2 report issued the foundation of On-Call Optimizer’s security posture is well and truly in place and demonstrated.

The processes and controls demonstrated during the audit window will continue to be maintained on a day-by-day basis with Vanta providing assurance that we remain in readiness for the next regular audit period when it arrives.

As On-Call Optimizer continues to develop as a product, our security principles guide the design and architecture, ensuring we minimize the amount and duration of storage of any customer data accessed and utilize multiple overlapping layers of protection, monitoring and auditing to ensure it remains secure and used only for the requested purpose.

Experience flexible scheduling and hassle-free swaps today

With SOC 2 compliance now in place, your security and procurement teams can move forward with confidence that On-Call Optimizer meets enterprise security requirements while you can deliver the flexible scheduling and hassle-free swaps your team needs.

Don’t delay!

Start your free trial today

Try On-Call Optimizer for free. No credit card required.

Start a Free trial

About On-Call Optimizer

On-Call Optimizer eliminates conflict and frustration from on-call scheduling, improving work-life balance and maximising the willingness and ability of all team members to participate in on-call duties with confidence their personal constraints and needs will be respected by the schedule.

Founded by Matt Brown, a seasoned Google SRE and DevOps leader who has spent more than 20 years participating in and helping run on-call rotations.

Matt's expertise guides On-Call Optimizer's philosophy and feature development allowing your team to benefit from industry leading expertise and techniques that deliver simple, humane on-call scheduling without spending significant amounts of time or money!

Headshot of Matt

Schedule a 30 minute chat with Matt to discuss how On-Call Optimizer can help you today.

Schedule time with Matt

Or visit mattb.nz to read Matt's writing on SRE, DevOps and technology.

Let's Talk!