February 25, 2022

Amberflo has achieved SOC 2 compliance

At Amberflo we constantly stress that our solutions, Amberflo Billing Cloud and Amberflo Metering...

Amberflo has achieved SOC 2 compliance

At Amberflo we constantly stress that our solutions, Amberflo Billing Cloud and Amberflo Metering Cloud, are built with cloud platform design principles in mind, delivering the highest standards of security,  performance, and availability. We are pleased to announce that Amberflo has achieved SOC 2 Type 1 Compliance for standards in security, availability, processing integrity, privacy, and confidentiality. From the beginning, we felt that these attributes are fundamental to a metering and billing platform, and engineered the solution expecting our customers to demand the highest level of performance in each area. It is exciting to see our approach validated by the American Institute of Certified Public Accountants (AICPA). 


What is SOC 2 Type 1 compliance?

SOC 2 Type 1 compliance means that a trusted third party completed an audit of Amberflo’s code and operating procedures, assessing for security, availability, processing integrity, privacy and confidentiality based on standards set by the AICPA, and concluded that Amberflo follows top-rated practices to safeguard customer data and ensure top-tier performance. SOC 2 Type 1 compliance validates our technology and procedures, while Type 2 validates the execution of those processes over time to ensure the same quality of performance and security are maintained. We continue to work towards this milestone and will update when it is achieved. 


Why is it important?

With the increasing prevalence of cyber-incidents, resulting in the loss or exposure of private data, as well as society’s growing reliance on these technologies to be secure and performant, it is more important than ever for businesses to develop strategies and demonstrate competence ensuring the privacy and security of private information and continuously delivering services outlined in the service level agreement. 

We’ll briefly outline the five criteria that are assessed and their significance to our customers.


Security

According to the AICPA, security means: 

“Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.”

This means we follow industry-recognized best practices for identity management, two-factor authentication, and firewall maintenance, to name a few, and that we have well-documented security policies, procedures, and training in place for all team members. Customers can be certain that any data entrusted to Amberflo will remain secure and accessible only to permissioned users. 


Availability

According to the AICPA, availability means:

“System meets availability standards as outlined in a service level agreement.”

We guarantee 99.99999999999 percent availability in our SLA. When auditors assessed Amberflo for availability they were assessing to see if our system delivered on the promises outlined in the SLA. Our system is built to be the system of record for usage and consumption data; billing is to be built on this data, so it is crucial that the data be complete and current at all times. Customers can be secure building this crucial infrastructure with Amberflo, knowing the system we build will stand up as a true system of record and single source of truth within your organization. 


Processing integrity

According to the AICPA, processing integrity means: 

“System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.” 

Passing this criteria means that the system processes data as expected. This is absolutely essential for a metering service and a key point to highlight. We guarantee accuracy, meaning that each record is idempotent and deduplicated. In simple terms, we guarantee that for any record sent to Amberflo, it will be processed only one time. It will not be processed more than once, and it will not go unprocessed. Customers should feel secure that an impartial third party has validated our claims but continue to challenge us to deliver on these promises without fail. 


Confidentiality

According to the AICPA, confidentiality means:

“Data is safe from unauthorized access.”

We have a robust infrastructure in place to keep data safe, and our customers can be certain that data entrusted to us remains secure from any unauthorized access. Usage and billing data is of tremendous value and sensitivity to customers and the respective vendors, and we have strict access controls and security technologies in place to maintain its confidentiality. We understand that security and confidentiality are not checkbox items but require daily effort and vigilance to constantly evaluate the landscape and improve, and we commit ourselves to doing so. 


Privacy

According to the AICPA, privacy means:

“Personally identifiable information (PII) is private and users have full control over its use.”

We offer our platform as a key building block for our customers to leverage as they build and expand their own offerings and addressable use cases. We have clear communication around what data we collect, and how it will be used, accessed, persisted, and stored. Our metering data structure is a flexible, developer-friendly artifact so users can customize what metadata is collected with each meter record, giving full control over what data is collected, and how it is aggregated and transformed. 


Looking ahead

This is a great step for Amberflo and we’re excited to share the news. We will continue working to achieve SOC 2 Type 2 compliance as well, while continuing to deliver the highest levels of security and performance to delight our customers and deliver critical infrastructure to support their event metering and usage-based pricing use cases.