As part of our continued dedication to information security and the safety of our customers’ data, HireVue completed its first SOC 2 Type 2 Report in December 2017.
A SOC 2 Type 2 report presents HireVue’s clients with the results of an independent audit in the form of an assertion from a third-party auditor. This assertion illustrates that HireVue has implemented appropriate controls to protect our Video Intelligence Platform. Specifically, the Type 2 designation states that the auditor not only identified that the controls are in place, but that they were operating effectively over a period of time.
To begin this process and prepare for the audit, HireVue underwent a gap assessment and scoping exercise to identify the applicable trust service principles (TSPs) and the related criteria that HireVue would be audited against. HireVue included the TSPs’ security, availability, and confidentiality, the related criteria, and controls as the context for this audit.
The audit process took into consideration a review of the components used to provide HireVue’s services as well as the controls implemented to protect supporting systems, including:
To demonstrate the depth of the audit, these are several examples of controls that underwent inspection:
Many of the big-name cloud hosting providers have obtained their own SOC 2 report for their offered services. A company that sells software-as-a-service and hosts its resources in the cloud might choose to claim SOC 2 compliance by using the report their hosting provider has obtained. However, the designation of SOC 2 certification/validation would not extend to the services offered by that company, as those services were not reviewed in the scope of the cloud providers report.
This is a crucial distinction to make.
While it’s great that the underlying cloud infrastructure has been reviewed against information security standards, this provides no context of security for the system being hosted.
If information security is a priority, you need to ask your vendor for their reporting as it pertains to their in-house controls.
HireVue can now demonstrate to its clients that not only is our hosting platform SOC 2 Type 2 validated, but the HireVue Video Intelligence Platform running on those systems is validated as well.
HireVue has chosen to continue to be subject to ongoing SOC 2 Type 2 audits as part of our continued effort to demonstrate that HireVue is dedicated to protecting our customers’ data. In addition to this process, HireVue has a dedicated information security team to implement and monitor our security controls.
As previously mentioned, the SOC 2 Type 2 report is a third-party validation of HireVue’s controls. When we tell you that your data is secure, you don’t need to take our word for it! This third-party report is available under NDA for all interested customers and potential customers.
SOC 2 Type 2 Certification is an activity that HireVue will continue to maintain. We are also exploring other certification opportunities such as ISO 27001 and FedRAMP to further prove the robustness and stability of the systems we have in place.
Scott Snelgrove, CISSP, is HireVue’s Information Security Compliance Specialist. With over 12 years of experience in information security and penetration testing, he supports the development of HireVue’s Information Security policies, procedures, and controls.