Sunny Day Fund is excited to announce that our organization and workplace emergency savings platform is now SOC 2 Type 2 certified! The nearly year-long process resulted in a clean audit opinion for us and the certification reinforces our commitment to employers’ and employees’ data security, privacy, and compliance. Users can take comfort in knowing that their data is secure and handled with the utmost care.
Why is this Big News?
The SOC 2 Type 2 certification is a major milestone for any organization; the process verifies that clients’ data (in our case employees’ and employers’ data) is protected and kept private from unauthorized users. The certification is especially important in the current environment where data privacy is top of mind for users of digital products, especially when money and banking are involved. The SOC 2 Type 2 provides companies peace of mind that they are working with an organization focused on protecting their employees’ data.
Sunny Day Fund received a clean audit opinion (known officially as an “unqualified” opinion). An “unqualified” opinion means that we have passed our audit with flying colors and that the controls our independent auditor tested were designed and operating exactly as they should be. Additional information on the types of audit opinions can be found on Secureframe’s website.
What does this mean for my organization?
Two things –
- If you’re an HR or Finance leader that’s evaluating our award-winning workplace emergency savings program to bring to your organization, you want to make sure to do the proper due diligence that our systems and processes are legitimate. The SOC 2 Type 2 certification checks the box during that due diligence for both yourself and your IT, Procurement, or Legal departments.
- And as we implement with you and your third-party stakeholders like payroll and TPAs (third-party administrators of benefits), you can rest easy that we will work with them in a formal and secure capacity to deliver our innovative program.
And by achieving this standard, we’re sending you and all of our employer and employee stakeholders a signal that we will always put your employees’ data first! So as you consider impactful financial benefits beyond 401(k) for your employees but with the same data security rigor, know that Sunny Day Fund is at the top of the list.
Tell me more about SOC 2 Type 2 audits
All SOC 2 Type 2 audits are conducted by an independent third-party auditor. The audit is requested by the company being audited and is a review of all internal controls (there are nearly a HUNDRED parameters across which we are tested!) to determine how well those controls are operating.
Typically, organizations, such as yours, that use cloud-based services request a SOC 2 report to assess and address the risks associated with using that third-party organizations’ services. A SOC 2 report covers the principles of Security, Availability, Confidentiality, and Privacy. Additional information about SOC 2 audits is available on the AICPA’s website.
Why did Sunny Day Fund choose Type 2 over Type 1?
A Type 1 report only covers (1) management’s description of the organization’s system and (2) the suitability of the design of controls. It does not test the effectiveness of the controls. Testing the effectiveness of the controls is key to understanding if the controls are working as planned and customer data is being protected as it should be. In other words, we felt a Type 1 audit would fall short of the high standards that we’ve set for ourselves and how we’d like to consistently perform.
That’s why we elected to for a Type 2 report, which takes the Type 1 a step further. In addition to the report covering (1) management’s description of the organization’s system and (2) the suitability of the design of controls, it also (3) tests the operating effectiveness of controls. This not only verifies that the controls are designed properly, but also that they are working as they should in order to keep customer data secure. This is what’s important – that we both have the necessary controls AND are practicing against those controls on a daily basis over the review period. We did this as employees were savings thousands of dollars over our employer-rewarded savings platform.
How often is Sunny Day Fund audited?
Our auditor has certified our SOC 2 Type 2 status through early next year. We look forward to undergoing the process again next Winter to ensure our standards are continually aligned with the latest guidance on data protection, privacy, and risk mitigation. In fact, we have operationalized an automated security and compliance software to make sure Sunny Day Fund stays on track always, including through the next formal review period.
We appreciate you learning more about this major milestone for us and we’re excited to continue to use our award-winning emergency savings platform to make your employee experience better. Check back in with us again soon for updates on product features, trends in the benefits space, and changes to legislation that could impact your organization. From all of us at Sunny Day Fund, we hope you have a sunny day!