MarkLogic Achieves SOC 2 Type II Security Certification

We are proud to announce the successful completion of a SOC 2 Type II audit for our cloud service. An independent third party has issued an attestation report for MarkLogic^® Data Hub Service on all five SOC 2 Type II principles:  Security, Availability, Processing Integrity, Confidentiality and Privacy.

Providing a safe and secure platform to manage enterprise data is paramount to our vision of simplifying complex data integration. MarkLogic was already the most secure modern database with the most granular security, most advanced encryption capabilities and the only modern database to carry a Common Criteria security certification. The SOC 2 Type II report speaks to MarkLogic’s continued “security-first” mentality as it applies to cloud services and financial services use cases in particular.

Overview of SOC 2 Type II

SOC stands for “Service Organization Controls,” and SOC II focuses on an organization’s internal controls that are related to compliance and operations, wrapped around five trust principles:

• Security – The system is protected against unauthorized access, both physical and logical.
• Availability – The system is available for operation and use as committed or agreed.
• Processing integrity – System processing is complete, accurate, timely and authorized.
• Confidentiality – Information designated as confidential is protected as committed or agreed.
• Privacy – Personal information is collected, used, retained, disclosed and disposed of according to set guidelines.

The end result is a report that helps organizations evaluate the security of service providers (which includes almost all cloud technology vendors). The audit reporting requirements are governed by the American Institute of CPAs or AICPA.

Example of Security Control

In cybersecurity, a “security control” has a relatively broad definition and refers to the safeguards or countermeasures used to avoid, detect, counteract or minimize security risks to both information and actual physical hardware.

In the context of SOC II and what an auditor looks at, a common example is ensuring that information assets (i.e., data and code) can only be accessed by the right people (i.e., authorization and authentication). This means not only designing the systems to be secure, but also ensuring that the right policies and procedures are in place and that they are followed.

How SOC 2 Type I and Type II Differ

There are two types of SOC 2 reports: Type I and Type II. Both are completed by an independent third-party and cover similar areas of security, but the Type II report is newer and has more stringent requirements. The main difference is that Type I looks at security controls at a specific point in time and Type II evaluates the operational effectiveness of controls over a period of time—the minimum of which is six months—to determine if the controls are operating as described.

Why SOC 2 Type II Matters

At a broad level, security is becoming more and more important as breaches grow in number and severity and the cost of a breach increases. At the same time, organizations are moving faster than ever to deploy and maintain new IT systems, particularly in the cloud. And yet, in an article from consulting firm, McKinsey, “despite the benefits of public-cloud platforms, persistent concerns about cybersecurity for the public cloud have deterred companies from accelerating the migration of their workloads to the cloud.”

With SOC 2 Type II, MarkLogic’s cloud service has independent third-party validation that MarkLogic is a trusted cloud provider for handling mission-critical data. This helps alleviate concerns about cybersecurity so that organizations can accelerate cloud adoption with MarkLogic.

Availability of the Report

The SOC 2 Type II report is not public, but we are able to share it under a non-disclosure agreement. If you would like a copy of the report, please contact us and one of our security experts will get in touch.