What Is a SOC Compliant ITAD Vendor?

Last month, ERI announced that it has completed Service Organization Control (SOC) 2 certification, becoming the only SOC 2 certified e-waste recycler in the industry. It sounds great, but what does it really mean to be a SOC compliant ITAD vendor?

 Every business and industry around the world keeps client records. Many businesses today are supported by several if not dozens of other vendors and companies. A store has payment processors, inventory software, web hosting companies, Customer Relationship Management software (CRMs), payroll/accounting software, etc. You have a hospital or medical office with web hosting companies, billing/insurance software, payroll/accounting software, CRMs, medical records storage and management, etc.

All of the information these different systems and vendors collect must be kept safe from theft. It’s a legal requirement to protect clients’ or patients’ private information. The vendors or companies that provide software or hardware have a responsibility to also protect that sensitive information. Service Organization Control (SOC) compliance from the American Institute of Certified Public Accountants (AICPA) is important for that very reason.

 Understanding the Basics of SOC Compliance

 Companies that go through SOC compliance make a promise that they use tools and measures to keep private information secure. And, there are several different types of SOC so companies need to understand the best SOC reports to gain to prove they’re trustworthy, ethical, and credible. After proving they meet the Trust Services Criteria, they’ll receive the appropriate SOC compliance certification.

  • SOC 1 – Applies to organizations that manage financial records like bank loans, insurance claims, investments, mortgage companies, and payroll.
  • SOC 2 – Applies to service organizations in areas outside of finance that produce intangible goods, such as eCommerce vendors and SaaS.
  • SOC 3 – You may know it as WebTrust and is similar to SOC 2 but it’s more for marketing/general use, while SOC 2 has a limited audience due to restricted use of the reports.
  • SOC for Cybersecurity – Cybersecurity Risk Management Reporting Framework that reports on an organization-wide risk management program regarding cybersecurity.
  • SOC for Supply Chain – This one is for distributors, manufacturers, and producers.

Take a Deep Dive Into SOC 2 Certification

SOC 2 reports are a guarantee that a business or service meets the four or five AICPA Trust Services Categories: Security, Availability, Confidentiality and/or Privacy, and Processing Integrity. This certification is voluntary, but a company that is SOC 2 certified has taken an extra step to prove to others that they’re serious about protecting their clients’ private information.

Security – All systems, information, and storage equipment are protected from unauthorized access, no information is disclosed without authorization, and any damaged or broken equipment must be handled in a way that also remains secure and protects privacy.

  • Availability – Systems and information must be readily available for use and operation and meet the promised objectives.
  • Confidentiality – Information that is confidential meets the legal and organizational requirements to stay private from prying eyes and unauthorized users.
  • Privacy – Any personal information that is collected, stored, used, shared, or disposed of is handled in ways that meet legal and organizational requirements.
  • Processing Integrity – System processing happens in a timely, accurate, and complete manner and meets the organization’s objectives.

There are SOC 2 Type 1 and SOC 2 Type 2 reports. Type 1 involves a manager’s description of systems and controls that prove that the company’s measures are designed to meet, if not exceed, all of the Trust Services Categories at that time. There’s also SOC 2 Type 2 that looks at the same criteria, but the audit covers a length of time to show how effective the system and controls have been over an extended period.

Management must write and refine their policies and systems of checks and balances that help provide proof that a company is taking every possible step to maintaining security, integrity, and privacy. They have to be detailed regarding what steps they take, the principles they follow, and how it’s all implemented each day.

With both, a CPA looks at the manager’s documentation and plans to make sure the controls and system meet the requirements outlined in the Trust Services Categories’ criteria. The CPA will do a walkthrough of the plant or company to assess the operating plan and how effective it is. Without the CPA’s audit and approval, the certification won’t happen.

After this, the audit report is created and the auditor goes over things with you. If you pass, you end up with SOC 2 Type 1 certification first. In about six months, if you’ve stuck with the auditing process, you can get SOC 2 Type 2.

Why SOC 2 Type 1 Matters

Your organization or office has a lot of electronics you don’t use. You have thumb drives and external hard drives. You have phones, printers, copiers, laptops, desktops, and pagers. All of these devices contain information that has files that must be kept private. You can’t just sell things when they could contain a client’s or patient’s private information.

When you arrange to have the electronics recycled, you’re trusting the company you partner with to be legit. In 2013, Surrey’s National Health System was hit with a sizable data breach. That £200,000 data breach (about $250,000) occurred when the data destruction company recycled NHS computers without taking proper measures to destroy the data. They crushed the hard drives rather than using techniques like degaussing or shredding.

By choosing a company that proactively takes steps to get certified, you have a level of confidence that they take data privacy seriously. ERI holds more certifications than you’d expect, and it’s because we take data privacy, ITAD, worker safety, environmental protection, and electronics recycling seriously. We believe the job must be done to the highest possible level. Not only are we the first ITAD company to hold SOC 2 certification, but we also hold several other certificates ensuring we are responsible and ethical e-recyclers.

  • e-Stewards – This audited, accredited certification program focuses on the protection of a brand, data security, the environment, and human rights.
  • ISO 9001 – Quality management system standards that focus on customer service, processes, continual improvements, and high-quality services.
  • ISO 14001 – The ISO 14000 standards focus on being environmentally responsible and sustainable.
  • ISO 45001 – ISO standards are plentiful, and ERI holds one that is about the health and safety of their workers, too. ISO 45001 certification goes to companies that provide safe and healthy environments to prevent workplace injuries and illnesses.
  • NAID AAA – There are around 1,000 NAID AAA Certified facilities on five continents. It’s awarded to companies that meet data destruction qualifications, meet HIPAA, EU General Data Protection Regulations, and obtain Downstream Data Coverage.
  • R2 – Finally, there’s R2 where those who are certified strive for the reuse of recycled materials and proper data destruction.

In addition, we hold a GSA Contract. Our data destruction services come in several levels starting from the level that is in accordance with NIST 800-88 Rev1 all the way up to Top Secret Demilitarization Services.

How can we help you? Large or small, we recycle unneeded electronics in ethical, environmentally-responsible ways. We destroy data and can even destroy data in your location if that makes you feel more comfortable. Track your devices from the moment they leave your building or offices, and it’s even possible to watch data destruction remotely. You’ll get a certificate to prove you followed the laws applicable to your business or organization. Talk to ERI, a SOC compliant ITAD vendor, today and let us know how we can help out.