Understanding SOC Compliance & What it Means for Restorers and Technology | C&R Roundtable



Rachel Stewart is the CEO and one of the Founders of Xcelerate Restoration Software, a job management system designed to help contractors be profitable. Having spent the first 12 years of her career growing and building a restoration company from $1.5 million to over $20 million in annual revenue, Rachel developed a passion for the restoration industry. She also found areas of deep frustration – as she focused on growth, efficiency, and profitability, she encountered the limitations that technology in the space had on a daily basis, and it was affecting her people and the company’s bottom line. This lead to the creation of Xcelerate. In addition to her work in the industry and with Xcelerate, Rachel is the Author of Unqualified Success: Bridging the Gap From Where You Are Today to Where You Want to Be to Achieve Massive Success and she is the host of the Restore Your Power to Succeed podcast.

Paul Donald is an accomplished entrepreneur and technology executive with over 25 years of experience solving productivity issues with innovative technology. In 2012, Paul co-founded the Encircle app, creating a new standard that defines how property loss information is gathered, assessed, and reported when disaster strikes. Paul and his team at Encircle continue to bring trust and transparency to the claims process, aligning restorers, adjusters, and carriers globally around a single source of truth.

Mark Whatley an entrepreneur with over 10 years of restoration industry experience that incorporates all aspects of a loss, from mitigation to repair. As an Xactimate Certified Trainer, a Matterport Certified Trainer, and a licensed general contractor, Whatley’s hands-on industry expertise provides context for his resolute drive and problem-solving persona. He currently serves as President of sureti, a third-party fund control payment company that accelerates claim proceeds. He is also a founder of Actionable Insights, a non-profit that establishes adjusting guidelines that serve as a baseline for noble claims settlement. He is the author of The Umpire’s Mitigation Manual and the Umpire’s Repair Manual, two publications that have formed the foundation of the 3000+ page Insight Sheet Database.

1. When did your company start the SOC compliance process?

Rachel Stewart, Xcelerate
We had been building security measures into Xcelerate and our processes since inception, but we officially began the process to get the certification recognition the Summer of 2022.

Paul Donald, Encircle
Encircle officially began its System and Organization Controls (SOC) journey in 2022, though we’ve been proactive and committed to the secure storage and transmission of data since our inception in 2012. This process has validated the existing policies and protocols we have in place, which provides even more assurance to our customers and partners.

Mark Whatley, sureti
Our System and Organization Controls (SOC) 2 Type II compliance process began in October 2022 and was successfully authorized in January 2023. We chose SOC 2 Type II, as opposed to SOC 2 Type I or other means for security compliance, because a Type II audit assesses the efficacy of a company’s controls and observes operations over a period of months. SOC 2 reports focus more broadly on availability, security, processing integrity, confidentiality, and privacy, as well as testing the controls that need to meet the criteria, while SOC 1 reports focus on financial controls and meeting identified control objectives. 

As a nationally recognized certificate of compliance, SOC 2 provides a comprehensive framework for evaluating the controls and processes in place at a service organization. Achieving SOC 2 compliance helps organizations like sureti demonstrate their commitment to security, data protection, and regulatory compliance, which can improve customer trust and confidence in the services provided. SOC 2 reports are also independently audited and provide a high level of assurance to customers and stakeholders that a service organization is operating effectively and efficiently.

2. What was the actual internal audit like for you and your team – what was required of you in advance?

Rachel Stewart, Xcelerate
The audit itself was a pretty painless process. It is getting prepared for the audit that is extremely lengthy and time consuming.  It involves a lot of documentation gathering and providing proof of processes and security implementation. Luckily, there are some amazing technology solutions that can help and the team at Xcelerate was very efficient in getting it all completed.

Paul Donald, Encircle
We welcomed the audit and will continue to do so, as it’s an ongoing commitment each year. Having third party validation of a company’s policies and protocols, in our case completed by AssurancePoint, LLC, is essential to make sure the organization has the best possible measures in place with respect to data security, availability, processing integrity, confidentiality, and/or privacy. 

This should be considered table stakes for any technology vendor, but in our industry specifically, we process extremely sensitive data about property losses. Let’s consider residential work as an example: you’ve got people’s contact information and policy details, but you’re also directly in their homes during a very stressful and unanticipated event, taking photos, videos, notes, and so on. That level of detail absolutely needs to be treated with utmost integrity. Quite frankly, we want anyone who uses Encircle to be confident in that.

Mark Whatley, sureti
The internal audit was a thorough examination of the suitability of the design and operating effectiveness of our internal controls. In preparation for this audit, our team spent several months dissecting our internal controls and processes, software practices, and encryption methods. Our team had to investigate and question every aspect of, not just our product, but our general operations and communication methods. One example of tactics put in place is the use of authentication apps and other two-factor authentication (2FA) methods. These methods were elevated to all areas of our operation that required log-in credentials including within our own products and apps. 

We worked with an independent auditor, Modern Assurance, who examined and tested the design and operating effectiveness of fund control and digital payment platform for disbursing claims proceeds. We have thousands of users with different needs including contractors, property owners, insurance carriers and mortgage lenders, accessing our products and data. Modern Assurance allowed us to ensure that all entry points were safely protected and monitored and that only applicable data was accessible for each unique entity’s needs.

3. What does achieving this mean for your company? What other opportunities arise?

Rachel Stewart, Xcelerate
Getting the Soc 2, Type II compliance increases the credibility of Xcelerate in the industry and across the tech landscape at large. But in today’s day and age it really is a table stake. Data security and how data is used should be of utmost concern to all restoration contractors. How is my data stored?  Who has access to it? And is it being used in my best interest should all be things that people are considering.  

Paul Donald, Encircle
What this means is Encircle recognizes the importance of security and compliance within every role of our organization. It doesn’t matter if you’re in product management, sales, HR, marketing, customer success – every single role assumes ownership and responsibility with respect to security. We also review all processes and procedures, from vendor management to how we travel. 

Our strategy of continuous training, understanding of compliance, and having a dedicated function in the company to create oversight across all of these is critical as we continue to grow and scale. From a business perspective, we can demonstrate to the market Encircle treats data with the diligence needed to be a trusted, secure partner. Back in December of 2021, we announced a commitment to an open ecosystem so that our customers could integrate Encircle with the tools they need to operate their business. Whether that’s using Zapier to connect Encircle to an accounting system; adding equipment tracking and asset intelligence to their processes; or importing photos, documents and notes into XA with our new Verisk integration, we want the restoration industry to have more choice in the systems they use and the confidence that the data they’re capturing is handled with extreme diligence.

Mark Whatley, sureti
Achieving SOC 2 compliance is a demonstration of sureti’s commitment to security and privacy for all entities. SOC 2 compliance requires that a company implement and maintain robust security and privacy controls, such as data encryption and access management. By achieving SOC 2 compliance, we can officially assure our customers that sureti has implemented appropriate controls to protect their sensitive information, like Personally Identifiable Information (PII), and that we are regularly audited to maintain these controls. 

Any company that stores or transfers sensitive information owes a promise of security to its customers. To us, proactively acting on that promise involved taking a hard look at our security measures and implementing the necessary changes to make our intentions a reality.

4. What are the next steps now that you’ve achieved this? Does it offer a launching pad for other ways to serve customers and carriers?

Rachel Stewart, Xcelerate
Data security will be a long-term focus of Xcelerate. This is not a one and done situation. But what it does offer us is an ability to serve restoration contractors at a higher level, giving them more access to meaningful integration with other systems they may be using in the industry. Our number one concern is how we can help contractors grow, scale, and run their business efficiently. The best way to do that is to make sure that Xcelerate is integrating with the best solutions serving restoration contractors and that in doing so, their data is not only serving them, but is secure.

We have some exciting integrations and partnerships that we will be launching in 2023 and we can’t wait to showcase the gain that will be to contractors.  The landscape is changing and that is exciting.   

Paul Donald, Encircle
As far as next steps, it’s first important to note that SOC is an ongoing process and commitment that requires an annual review, which we’ll continue to prioritize. We also have dedicated team members reviewing data and privacy policies around the world – including GDPR, GDPR UK, PIPEDA and ISO – as Encircle’s presence continues to grow in other countries. Regardless of geography and borders, it’s our intention to continuously evolve our process to safeguard the data we collect, complying with local laws as well as recognized best practices. 

At Encircle, this extends far beyond our product. We see a need to address security across the whole ecosystem. Most companies are breached by a lack of knowledge, awareness, and diligence. Understanding this and ensuring we are attending appropriate conferences, reviewing the National Vulnerability Database (NVD), and continually exercising the whole ecosystem helps to place us in a better position. 

In summary, our strategy is to never think we are “done.” Security will remain part of Encircle’s DNA with robust training and clear policies.

Mark Whatley, sureti
Our next SOC 2 Type II audit window begins in mid-May, so we’re doubling down on ensuring our internal procedures and processes remain compliant with SOC 2 requirements. Similar to the first phase of our audit, this period will involve: 

  • A regular review of our internal policies and procedures 
  • Preparing for risk assessments to identify potential threats and vulnerabilities, and implementing appropriate controls to mitigate them
  • Testing our incident response plan to ensure sureti can respond quickly and effectively to security incidents

Of course, we plan to recertify for SOC 2 Type II compliance annually to maintain our compliance status and uphold the soundness of our security protocols. 

We recognize this level of compliance as a launching pad for increasing customer trust, loyalty, and retention in several ways. For one, SOC 2 compliance demonstrates to carriers and contractors that an organization has taken the necessary steps to protect sensitive information and they take security and privacy seriously. When working with a service that specializes in accelerating the flow of funds, that effort to foster trust across all entities goes a long way.

5. What does it mean for contractors working with SOC 2-compliant vendors?

Rachel Stewart, Xcelerate
Obviously, cyber-security and cyber threats should be a big concern for everyone. We are an industry that deals with the unexpected risks every day and strives to minimize those risks. The same is true for the technology that contractors are choosing to use. Making choices that reduce risk, is just smart for everyone.  

Paul Donald, Encircle
Restoration contractors collect and transmit very sensitive data every time they’re at a loss and, from a customer’s perspective, there’s an expectation that they will handle that information privately and securely. For that reason, contractors need to be confident that the vendors they choose to work with – and share data with – are treating that data in a responsible, secure manner for the purpose it’s intended for. This is really what SOC 2 is about. Working with SOC 2-compliant vendors means a contractor can feel a higher level of comfort because their framework has been vetted and validated, with the appropriate controls in place.

Mark Whatley, sureti
For contractors, SOC 2 compliance means the vendor has demonstrated they have implemented adequate controls and processes to protect sensitive information in accordance with the Trust Services Criteria outlined by the American Institute of Certified Public Accountants (AICPA). A major element of sureti’s service is ensuring that contractors get paid for their work in full and on time — and now they can have peace of mind that our systems and processes have been thoroughly evaluated and found to meet the highest standards for information security and privacy. This can also help to reduce the risk of security incidents and ensure the confidentiality, integrity, and availability of sensitive information. 

Of course, it’s important to note that SOC 2 compliance is only one aspect of due diligence, and it’s still the responsibility of contractors to properly evaluate the vendor’s security practices and controls before entering into a business relationship. SOC 2 compliance does not guarantee that a vendor will be immune from security incidents, but it does demonstrate that they have taken appropriate steps to minimize the risk of such incidents.

6. What does it mean for carriers working with SOC 2-compliant vendors?

Rachel Stewart, Xcelerate
Less risk for their legal team and ultimately more security for the policy holder. 

Paul Donald, Encircle
On the carrier side, there’s an expectation that every party involved in the claim workflow operates to a high standard and protects the policyholder’s privacy, while accurately collecting and transmitting the data required to settle a claim. Carriers are certainly not going to work with a vendor who cannot validate their standards – it would simply be irresponsible. Carrier data requirements are only expected to get stricter with respect to operational security, data security, compliance, and data integrity as time goes on. 

SOC 2 certification not only validates much of this, but it also reflects an organization’s commitment to these expectations on an ongoing basis.

Mark Whatley, sureti
Property & Casualty (P&C) Insurance Carriers know all too well the impact of a data breach. Whenever we hear about sensitive user information being leaked or a corporation’s information being compromised, it’s the greater P&C community that bears the weight of indemnifying corporations for costs like consumer restitution, legal fees, public relations, and ransom (to name a few). Homeowner and Personal Auto Insurance Carriers have a particular duty of safeguarding our personal information. With so many third-party data services leveraging APIs to send this data back and forth, the carrier cannot rely solely on their own security precautions anymore. 

SOC 2 authentication is critical for today’s insurance carriers to trust their partners. The entire industry is leaning into security measures and prioritizing protecting the policyholder’s PII to the highest degree of safety. Yet still too many Insuretechs are putting off their SOC 2 audit, subsequently hindering their ability to earn the trust of the broader P&C insurance community. Insuretechs that have attained (or are attaining) SOC 2 Type II compliance signal a priority to safeguarding the carrier and policyholder’s best interests.

7. Of the 5 principles of SOC 2 compliance, what do you believe is the most important for technology platforms to embrace as it relates to the property damage restoration industry?

Rachel Stewart, Xcelerate
I think the most effective and meaningful security that comes out of SOC 2 is penetration testing. That is where the policies and practices are actually put to the test. I think every company should be using the resources and technology available to enhance security such as two-factor identification or single sign on tools.  

Paul Donald, Encircle
The 5 principles – Security, Availability, Processing Integrity, Confidentiality, and Privacy – all play important roles for restoration tech. If you had to pick just one, security is the common principle for an audit, though anyone should be cautioned against downplaying the importance of the other four principles. 

As providers of technology platforms, we must always ensure they are available, processing data appropriately, and in accordance with confidentiality or privacy regulations. It’s a big responsibility to take on and it’s an incredibly important one, which is why SOC 2 examinations exist.

Mark Whatley, sureti
The five principles of SOC 2 compliance are Security, Availability, Processing Integrity, Confidentiality and Privacy. While each principle is equally important in its own right, confidentiality and privacy are the most important for modern technology platforms handling PII. 

Confidentiality refers to ensuring information is protected from unauthorized access, while privacy refers to handling information in accordance with laws and regulations and in a manner that protects the privacy of individuals. A data breach or unauthorized access of a user’s PII can introduce significant consequences for both the individuals whose information was accessed and the company responsible for protecting it. This is something sureti takes very seriously.

For contractors, the availability principle is particularly important for restoration and cleanup efforts. For instance, a system outage or failure of our system could result in payment delays that slow down resolving insurance claims — which is exactly what our business aims to prevent. If sureti’s system was suddenly unavailable, it would negatively impact our ability to provide timely services to the entities we service. 

This is why it’s important for technology platforms in the restoration industry to implement and maintain strong controls around system availability and disaster recovery — and ensure properties are rebuilt, contractors are paid, and property owners are satisfied. All these practices fall under SOC 2 compliance requirements.

8. Anything else?

Rachel Stewart, Xcelerate
SOC2 certification done right is expensive and an ongoing heavy administrative burden for technology companies. Having the right team in place and the right approach makes all the difference.  

Paul Donald, Encircle
The main thing to understand from all of this is, as an industry, we can all expect data requirements to continue to expand and become more detailed as time goes on. A lot of parties are involved in a claim – you’ve got technology vendors, restoration contractors, adjusters, managed repair networks, carriers – and we all have a collective responsibility to keep data secure, protected, and private as we do our jobs.

Mark Whatley, sureti
We owe a huge thanks to our development team for making our journey to compliance so successful. SOC 2 compliance is not easy to achieve, and our team’s diligence and attention to detail helped further streamline the auditing process. 

Above all, the process was a great exercise in evaluating and strengthening our security measures and internal controls. It’s a continual process as well, and the work is just beginning. Maintaining trust and compliance with insurance carriers and contractors means our development team has implemented new and improved practices to make certain sureti keeps its SOC 2 Type II compliance. We highly recommend any Insuretech or Fintech company involved with PII should make SOC 2 Type II certification its highest priority. There are only upsides for the pursuing company and a stronger ecosystem for all of us.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Latest Posts
Most Popular

Hey there! We're glad you're here!

This content is only available for subscribers. Please enter your email below to verify your subscription.

Don't worry! If you are not a subscriber, simply enter your email below and fill out the information on the next page to subscribe for FREE!

Back to homepage