Announcing SOC 2 Type II Certification and HIPAA Compliance

We're proud to empower over two million businesses to send billions of messages daily and always work to ensure their data remains secure and private. As part of those efforts, we’re excited to announce that OneSignal is now SOC 2 Type II certified!

What is SOC 2?

SOC 2 is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) that sets compliance standards for a company’s security controls. We focused our controls around the Trust Service Criteria for: Security, Confidentiality, and Privacy.

Why is SOC 2 important?

SOC 2 provides third-party validation that an organization has implemented and is operating with security best practices. The certification shows that an organization has deeply invested in maintaining a commitment to cybersecurity. This provides confidence and trust for companies that want to use our service.

What was the process like to achieve SOC 2?

We first started with a gap analysis to determine what existing controls we had that were SOC 2 compliant and what new controls we needed to implement in order to meet SOC 2 compliance. In total, we put together 79 controls across the organization that meet the requirements set by SOC 2.

With the controls in place and operational, we tackled the Type I point-in-time audit. It was a moment of validation when our auditors confirmed our controls were operating properly.

Lastly, we underwent a six-month assessment period for our Type II audit. This was a significant test as we provided over 400+ pieces of evidence to demonstrate that we were in compliance with SOC 2 standards. All the hard work was worth it when we passed our audit successfully with no deviations discovered!

HIPPA Compliance

Our work in achieving SOC 2 certification has also helped us in our goal to achieving HIPAA compliance. For those not aware, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how companies and healthcare providers handle protected health information (PHI) to ensure proper data security. We are happy to say that we now support a core aspect of HIPAA compliance by offering a Business Associate Agreement (BAA) to Enterprise Plan customers.

What’s next?

Beyond SOC 2 and HIPAA, we have recently added Single Sign On (SSO) as well, emphasizing our commitment to maintaining a high level of security for our customers. We’re continuing to invest heavily in this area to address our customers' needs. To get a copy of our SOC 2 report or request our BAA, feel free to reach out to us!