How Momentive securely manages customer data
What our SOC 2 Type 2 certification means for customers.
One of the many things that businesses have begun to appreciate during this pandemic is the power that technology has to enable employees to work fully remote. As Momentive CIO Eric Johnson wrote in September, the pandemic has led IT to completely rethink business operations. However, remote work and digital transformation due to the pandemic have also increased the average total cost of a data breach in business. According to IBM’s study of 537 data breaches across 17 countries, the average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor.
Industry standards such as System and Organization Controls (SOC) for Service Organizations reports developed by the American Institute of Certified Public Accountants (AICPA), are designed to provide customers with peace of mind around how their vendors manage and process data. SOC 2 is an independent auditing procedure that provides assurance about the systems and processes that a service organization uses to process customer data and the confidentiality and privacy of the information being processed. Momentive recently achieved SOC 2 Type 2 certification, adding to our existing ISO 27001 certification.
Achieving SOC 2 Type 2 certification is a significant effort and it demonstrates to our customers that we have an established process on securely managing data and running a world-class security program.
Our SOC 2 Type 2 certification applies to the SurveyMonkey and GetFeedback platforms.
What SOC 2 Type 2 certification means for customers
Three trust service principles fall under the SOC 2 criteria for managing customer data: security, availability, and confidentiality.
- Security refers to how the service organization protects system resources against unauthorized access.
- Availability demonstrates how the service organization ensures system or service availability as stipulated by a contract or service-level agreement.
- Confidentiality ensures that data is restricted to a specific set of persons or organizations and encrypted to protect the data during transmission.
At Momentive, we take our responsibility to protect and secure your enterprise information seriously. Security is built-in across our products, infrastructure, and processes.
How Momentive manages data security
We use encryption, access control, and need-to-know processes to ensure proper handling of customer data throughout its lifecycle. Our global Trust & Security team works around the clock to monitor and manage our security posture. They are responsible for security compliance, education, operations, and incident response.
Data resides on our infrastructure, which is hosted and managed on public clouds. We select public cloud vendors that demonstrate and adhere to rigorous data protection processes. In addition, we perform rigorous security testing and maintain security incident response policies. These processes help us to adhere to 99.9% uptime of our web services.
One of our most important security strategies is to comply with and expand coverage of the industry regulations that matter to businesses. In addition to our SOC 2 Type 2 certification, we work with multiple third-parties to audit and certify our products with ISO 27001, PCI DSS 3.2, and more.
View our Security Statement for more details about how we protect data for both our enterprise and individual customers.
Brent Williams is chief information security officer at Momentive