We’re storing highly sensitive customer data in Aha. You’re one of the few co-processors we have. As such, our Compliance team wants more assurance than a one-page ISO 27001 certificate can provide that this data is being protected.
SOC 2 provides much more detail for us to evaluate this. As of 2021, Aha used A-LIGN for ISO 27001, here’s more info from their blog comparing the two.
To be crisp, our ask is to provide SOC 2 Type II conformance that addresses, at a minimum, security and availability principles.
The gold standard for compliance is a third-party audit report. Telling us only that you passed leaves open the question of "By how many points?" Are we talking about A- or D- here?
I'm doing my company's service provider review at present, and not getting the answers I need, in order to tell management they are ok to use your product. If all you have or wish to have is your ISO audit, you ought to be able to share it under NDA.
Thank you for providing your feedback!
Aha! maintains an ISO 27001 certified ISMS and we have intentionally chosen ISO 27001 certification above SOC2 assessment for its international recognition and comprehensive scope. We provide information about our security program at https://www.aha.io/legal/security and our ISO 27001 certificate is available at https://www.aha.io/aha_iso27001_certificate.pdf.
Our annual third party ISO 27001 audits cover both the information security management system itself as well as control audits (similar to a SOC2 audit) against our selected ISO 27002 controls. We will provide our ISO 27001 Statement of Applicability upon request so that you can see which controls we are audited against. A detailed description of these controls is included in our CAIQ response at https://cloudsecurityalliance.org/star/registry/aha/.
We currently do not have plans to add SOC2 assessment in addition to our ISO 27001 certification. We will continue to monitor customer feedback in this area and consider it in the future.