Pocus is SOC 2 Type 2 compliant

Learn more about our data privacy and security policies

Isaac Pohl-Zaretsky

April 14, 2022

We’ve taken data and privacy seriously since day one at Pocus, which is why we’re excited to announce that Pocus is SOC 2 Type 2 compliant.

While many companies wait until their series B or even later rounds to invest time into certifying security efforts, we felt the need to address this early so all customers felt safe sharing their critical product usage and customer data with Pocus.

Our team has not only met the requirements for SOC 2 type 2, we have also invested resources into building our own unique data privacy architecture.

Secure by design

Keeping data safe has never been more important.

Hackers in recent years have gained access to vulnerable systems from cities to Fortune 500 companies.

Our Product-Led Sales platform has the highest data privacy and security architecture in place for those very reasons. By making this foundational to our product, we’ve embedded a strong culture around data privacy and security first. Security is a central tenant not just of our product but the entire company culture. Every new hire on the Pocus team goes through security training and all company devices are secured.

What is SOC 2 and why is it important?

SOC 2 defines criteria for safely managing data according to 5 key trust principles: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report is unique to each organization and outlines how a vendor manages your data.

There are two types of SOC 2 reports (Pocus has completed both audits)

Type 1 describes a vendor’s systems and if the design meets the relevant trust principles.
Type 2 can only be achieved once those designs are put into action and the operational effectiveness of the design meets the standard.

A SOC 2 Type 2 report is an important part of any software vendor evaluation where the vendor will have access to any critical data or if important information is being stored in the vendor's environment.

At Pocus, we enable GTM teams to get access to product and customer data in a single pane of glass view. To do this we need access to the sources of that data, typically a data warehouse like Snowflake, BigQuery or Redshift, and their CRM. Giving access to critical data about product usage and customers can make many data security and IT teams nervous, which is why SOC 2 compliance ensures your vendor will keep that data safe and secure.

How does Pocus protect data privacy?

We’ve built a unique approach to working with your product and customer data at Pocus. We support multiple deployment options to suit customers' data privacy preferences. Depending on the approach taken, customers can limit the amount of PII exposed to Pocus’ cloud.

Other security and compliance measures we take include:

Encryption: Data in transit is encrypted at all times, all storage systems are encrypted, and all Pocus servers are tightly access controlled and audited regularly. When debugging is required a small number of engineers are given access on their encrypted devices and are required to remove any data off their device when work is complete.
Multi-factor authentication required: Access to all critical systems and production environments is protected using strong passwords and multi-factor authentication. Where possible, SSO is used for centralized access control. Access is reviewed prior to being granted and then periodically thereafter.
Limited data access: Pocus only extracts metadata, primary keys, aggregate statistics, and limited PII with your permission. You can restrict access to any data field by simply marking it as PII in your Pocus workspace settings.
Pen testing: Pocus underwent a successful pen test from a third party to validate the security of our platform.

To help us reach this milestone and continue to safeguard our customer’s data, we worked with the awesome folks over at Vanta to help us set up the best processes and security systems. Vanta made the process very easy and we highly recommend them to other early-stage companies looking for a trusted partner.