Canopy Completes SOC 2 Type 2 Certification

Why the gold standard for data security should be table stakes for Fintechs

Consumers and businesses are quickly adopting Buy Now Pay Later (BNPL) and other innovative lending products. In the United States, 45 million Americans spent $21 billion on goods and services using BNPL last year. Cybercriminals are paying attention.

According to VMWare’s Modern Bank Heists Report attacks against the financial sector increased 238% increase in 2020. Data breaches are also on the rise. Verizon’s 2021 Data Breach Investigations Report confirmed 5,288 global data breaches, up 33% from 2020.

Consumer and commercial financial data require top-level data protection. To that end, Canopy is proud to announce the successful completion of an independent SOC 2 Type 2 audit of the system controls we designed, implemented, and operate to provide reasonable assurance of our service commitments around security, availability, processing integrity, confidentiality, and privacy.

What is a SOC 2 report?

The American Institute of Certified Public Accountants (AICPA) created Service Organization Control Reports in 2011 as a framework for assessing both a service organization’s operational practices and its ability to implement them. The SOC 1 and SOC 2 reports were designed to address the need for financial information and data security assurance. SOC 1 Type 1 and Type 2 examine controls and processes that could affect financial reporting. SOC 2 Type 1 and Type 2 look at controls that protect sensitive data. 

Many SaaS companies now voluntarily choose to certify data protection by contracting independent auditors to assess their data protection standards. It is increasingly common for organizations to achieve SOC 1 & 2 Type 1 compliance, which attests to the suitability of controls at a specific point in time. 

Fewer organizations can attest to compliance under the Type 2 criteria, which look at controls over a minimum six-month period. A SOC 2 Type 2 report requires a significantly greater time, resources, and human capital investment than Type 1. Additionally, some companies may be reluctant to undergo a Type 2 examination due to the challenges created by an extended testing period.

Prioritizing security and data protection

Canopy chose to undergo both the Type 1 and the more rigorous Type 2 audit. We also extended the Type 2 audit beyond the minimum six months to ensure meaningful results. Our auditors looked at the design and implementation of our controls from December 16, 2020 to October 15, 2021. Their report is available upon request. 

Canopy’s SOC 2 Type 2 report is intended to provide prospective and current clients with information that may be useful in assessing risks that could arise from interacting with our platform. In particular, the report focuses on controls designed to achieve the trust services criteria relevant to security set forth in TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. From now on, Canopy will conduct an annual SOC 2 Type 2 audit covering the security trust services criteria.

SOC 2 Type 2 is table stakes

Our investment in the appropriate system controls and our commitment to rigorous ongoing third-party audits reflects our belief that achieving the highest levels of security and data protection should be the starting point for any Fintech. In Canopy’s case, we prioritized security above other business functions. We initiated our SOC 2 Type 2 audit more than six months before we began building out our sales, marketing, and HR teams. We will continue to evolve our controls along with our platform, but one thing won’t change: the paramount importance of security in the design, deployment, and operation of our platform.