SOC 2 compliance

OMTI is SOC 2 compliant

Are clients asking about your SOC 2® compliance? Or maybe you are concerned about the security and reliability of storing your data in the cloud. If so, we are pleased to announce that as of July 2024 OMTI received its third SOC 2 Type 2 report on the organization’s controls relevant to the security of our clients’ data and we are still SOC 2 compliant.

Initial OMTI SOC 2 compliance press release download PDF

AICOA SOC logo
  • What is SOC 2?  

    SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data, especially when that data is managed in the cloud. SOC is short for System and Organization Controls. It provides an independent assessment of a company’s security and privacy controls environment.

  • How SOC 2 works  

    The areas covered in the SOC 2 standard are security, confidentiality, privacy, availability, and processing. Service organizations that handle client data set up policies and procedures to control these areas; then an independent third-party CPA audits the company to see how well these controls are working safeguarding client data. After this review, the auditor prepares a report of their findings. Audits are conducted annually to ensure that the service organization continues to adhere to the standard.

    SOC 2 Type 1 vs Type 2

    There are 2 versions of SOC 2 compliance reports. Type 1 is basically a snapshot in time that shows a company has policies in place to address SOC 2 areas. The Type 2 report details the results from the auditor observing a company for a period of time (3 months for our audit).

    Type 1 is acceptable for a startup that needs to quickly reassure others that they have policies, but it doesn’t show that the company is actually following their policies. As an established entity, Type 2 was the better option for OMTI. A Type 2 report shows not only that we understand the necessary security procedures, but that we followed them over a period of time. During that period, the auditor checked the company’s security controls many times and found no issues. This type of systems review audit yields a stronger and more trustworthy report.

  • SOC 2 compliance report  

    OMTI has gone through the required compliance audit for the first time, and can provide the report on our compliance to our clients to:

    • Help them assess the risks associated with using a third party cloud service.

    • Share with their clients who require evidence of SOC 2 compliance.

    • Use in meeting their own SOC 2 compliance standard. If you need to comply with audit requests from outside accounting firms, the results of our SOC audit can help make those audit processes smoother.

    If you would like a copy of our SOC 2 compliance report, please fill out and submit a report request.

  • Why is SOC 2 needed?  

    OMTI moved the ReporterBase and MetaRecords applications, data, and repository to the cloud because of the many benefits to a cloud-based solution, such as minimizing clients’ hardware and software needs, and updating everyone to the latest version instantly. But it also shifted the burden of maintaining security, confidentiality, privacy, availability, and processing of all RB and MR clients’ data to OMTI. 

    Liability concerns with storing data remotely have created a demand for assurance of the security, confidentiality, and privacy of information processed by these systems. This is especially strong with the type of sensitive legal and medical data stored in RB9 and MR8.

  • What OMTI does to safeguard your data  

    We have taken several steps to ensure we maintain the security of your data in the cloud.

    First we choose Microsoft Azure’s cloud platform, one of the best cloud platforms for reliability, safety, and security. 

    Then we developed our own policies and procedures for maintaining the safeguarding aspects within our specific workflow. As part of the process, we analyzed our risk environment. We evaluated our controls to make sure they are in place, correctly designed, and operating effectively. And we identified and remediated any gaps discovered during this process. Along the way we created documentation to cover all of our policies and procedures.

    The final step was the independent 3rd-party audit of our setup that has resulted in our SOC 2 compliance report. Our SOC 2 certification shows that all relevant systems at OMTI or otherwise under OMTI’s responsibility are properly protected against the threat of modification or unauthorized access. 

    The process does not end with our SOC 2 certification. Security and compliance are ongoing efforts, so we will continue to monitor our policies, procedures, and internal compliance. And we submit to SOC 2 audits annually.