Procore and SSAE18: SOC 1 & 2
Procore’s commitment to information security and privacy
We understand that there’s a lot of trust on the part of our customers to keep their data on the Cloud. Security is a top priority for Procore and we continue to invest significantly in broad initiatives to ensure that our customers’ data is safe, secure and private.
Procore is committed to protecting its clients, subscribers, employees and Procore from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every Procore user who interacts with data and information systems.
Procore understands the International Organisation for Standardization (ISO) 27001:2013 is the de facto international standard for an Information Security Management Program. Procore decision to pursue a globally respected industry benchmark standard demonstrates a commitment to its Information Security Program and to its customers and business partners.
What is SSAE18 SOC Certification?
Statement on Standards for Attestation Engagements no.18 (SSAE 18) is an auditing standard for service organisations maintained by the American Institute of Certified Public Accountants (AICPA). The System and Organisation Controls (SOC) reports are the output of an SSAE18 Audit. The SSAE18 standards supersede the Formerly SSAE16/SAS70 standards.
- A SOC 1 Report is relevant to user entities’ internal control over financial reporting.
- A SOC 2 Report focuses on a business’s non-financial reporting controls as they relate to key Information security Trust Principles of: Availability, Processing Integrity, Confidentiality and Privacy of data.
There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organisation’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 - report on the fairness of the presentation of management’s description of the service organisation’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
What this means for Procore customers?
To uphold the same levels of trust that our customers invest into Procore, these 3rd-party audits and certifications of our systems provide aim to provide a high level of confidence and trust in our ability to assess security risks associated with your data.
Furthermore, it illustrates to Central government, public and private entities that an accredited agency has independently assessed Procore’s security programme which has satisfied the SSAE18 industry best practices and controls.
While Procores SOC certifications do not automatically apply to your organisation, if you are looking to pursue these compliance initiatives, then our certifications will help simplify the process for your organisation.
Procore will supply (on a confidential basis) a summary copy of an audit report(s) to customers that reflects its compliance, so that customers can verify Procore's compliance with the audit standards against which it has been assessed. Please reach out to Procore Support or the Sales Team to obtain a copy.
A summary of other Procore Security and Compliance Measures can be found here.