TM

BLISSFULLY’S

SOC 2 Compliance
Playbook

blissfully.com/soc-2
The Blissfully Guide to SOC 2 Compliance

Table of Contents SOC 2: Everything

You Need
A SOC 2 OVERVIEW In addiJon to this guide,
Blissfully maintains a set of
The History of SOC 2 in Brief always up-to-date resources
including templates, guides, new
SOC 2 TRUST PRINCIPLES Jps, and more. Find them all at
blissfully.com/soc-2.
SOC 2 Common Criteria
Learn More
THE SOC 2 AUDIT PROCESS

SOC 2 Type I vs Type II Explained

Typical SOC 2 Timeline

WHY SOC 2 COMPLIANCE?

The Value of SOC 2 as a Vendor

4 Good Reasons to Pursue SOC 2 Compliance
When to Consider SOC 2 Compliance

BLISSFULLY: BUILT FOR COMPLIANCE

Our SOC 2 Philosophy

Our SOC 2 Process
The SOC 2 Pyramid
Policies
Procedures
Proof (SupporJng DocumentaJon)
The Right Approach for Each Common Criteria

HOW BLISSFULLY HELPS WITH SOC 2 COMPLIANCE

Internal Workflows
Vendor Management
SaaS Discovery, Security, and Monitoring
SaaS Codex and System of Record

IN SUMMARY

blissfully.com/soc-2 2
The Blissfully Guide to SOC 2 Compliance

SOC 2 compliance is an increasingly common framework and applies to many

businesses today. Specifically, SOC 2 applies to any service provider that stores
customer data in the cloud. It is quite relevant to SaaS businesses, but also to
many others who store their customers’ data in this way.

SaaS vendors in parJcular need to be SOC 2 compliant in many instances,

especially when they sell to the enterprise. Enterprises are oZen beholden to a
wide variety of security and compliance controls, and being demonstrably SOC 2
compliant as a vendor gives those enterprise customers the peace of mind they
need to do business with you.

blissfully.com/soc-2 3
The Blissfully Guide to SOC 2 Compliance

A SOC 2 Overview
SOC 2 isn't a set of hard and fast rules. Rather, it is a framework that sends a
strong signal that an organizaJon prioriJzes key a^ributes: security, availability,
processing integrity, confidenJality, and privacy.

CompleJng a SOC 2 cerJficaJon on its own is generally not enough to prove that
you are 100% secure as an organizaJon, but it’s a very good start and will go a
long way toward insJlling trust in your customers.

The History of SOC 2 in Brief

Before SOC 2, the original standard for audiJng service organizaJons was known
as a SAS 70 (Statement of AudiJng Standards No. 70). SAS 70 audits were
performed by CerJfied Public Accountants (CPAs) with the original intent to
report on the effecJveness of internal financial controls. These were introduced in
the early 1990’s.

Over Jme, the audit started to be used as a way to report on the effecJveness of
a company’s internal controls around informaJon security more broadly. Around
2010, SOC 1 and SOC 2 reports were introduced by the AICPA (The American
InsJtute of CerJfied Public Accountants) with the explicit purpose of addressing
the growing need of companies to externally validate and communicate their state
of security.

Today, SOC 1 reports are centered around controls impacJng financial reports,
similar the original SAS 70. SOC 2 reports, on the other hand, are wri^en on
audits against the Trust Services Criteria (TSC) standard, which we’ll explain below.
This standard is ideal if you’re looking for a way to simultaneously improve your
company’s maturity around business processes and security.

blissfully.com/soc-2 4
The Blissfully Guide to SOC 2 Compliance

SOC 2 Trust Principles

SOC audits are organized around five "Trust Principles." When you are audited,
you will choose which principles you want the auditor to a^est to. This is a
business decision based on what is most important to your customers. The Trust
Principles are:

Security
The foundaJonal security principle, common to all audits.

ConfidenSality
ProtecJon from unauthorized disclosure of sensiJve data.

Availability
ProtecJon that systems or data will be available as agreed or required.

Integrity
ProtecJon that systems or data are not changed in an unauthorized manner.

Privacy
The use, collecJon, retenJon, disclosure, and disposal of personal informaJon is
protected.

blissfully.com/soc-2 5
The Blissfully Guide to SOC 2 Compliance

All SOC 2 audits include “Common Criteria”. This is the biggest secJon of the audit
and touches on every aspect of informaJon security controls. Companies can start
with a Common Criteria audit if they’re looking to keep the scope small. Common
Criteria includes aspects of all principles noted below.

In addiJon to Common Criteria, mature SaaS companies tend to add on

ConfidenJality and Availability. The Integrity principle is typically chosen by
companies processing a lot of transacJons, as well as financial insJtuJons. Privacy
is seldom included as part of a SOC 2 audit. While it has value, most organizaJons
tend to focus their privacy efforts around compliance with HIPAA or EU
regulaJons (like GDPR). This is because European companies generally want
audits against their own standards, rather than SOC 2, and they tend to have more
stringent requirements. If you need to uphold GDPR, for example, then you’ll be
focusing on privacy when you go through that process.

SOC 2 Common Criteria

blissfully.com/soc-2 6
The Blissfully Guide to SOC 2 Compliance

The SOC 2 Audit Process

The SOC 2 reporJng standard is defined by the AICPA. All SOC 2 audits are
signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend
anywhere from six months to a year on focused preparaJon. This includes
idenJfying which systems are in scope for the audit, developing policies and
procedures, and implemenJng new security controls to reduce risks.

When ready, an organizaJon will hire a licensed CPA auditor to conduct the audit.
The actual process involves scoping, arJfact document collecJon, and an on-site
visit. The Jme commitment is typically several hours of introductory phone
conversaJons and two days in-person at your office. While in your office, the
auditor will conduct interviews and review submi^ed material. When starJng to
scope a SOC 2 audit, there a few key decisions that will need to be made up front.
First, do you want a Type I or Type II audit? This terminology can be confusing to
newbies because of the mix of numbers and Roman numerals.

Here's an easy way to remember: S = SCOPE, T = TIME.

SOC 1 = Financial Scope.

SOC 2 = InformaJon Security Scope.
Type I = At a single point in Jme.
Type II = Over the past 6 months.

blissfully.com/soc-2 7
The Blissfully Guide to SOC 2 Compliance

SOC 2 Type I vs Type II Explained

SOC 2 Type I
An audit conducted against the Trust Services Criteria standard at a single point in
Jme. This audit answers: Are all the security controls that are in place today
designed properly?

SOC 2 Type II
An audit conducted against the Trust Service Criteria standard over a period of
Jme. This period typically covers six months the first Jme, and then a year
thereaZer. In other words, this audit answers: Did the security controls that were
in place from January 1 through July 31st operate effecJvely? This means you’ll
need a system of record.

Type I reports are, as you might imagine, quicker to prepare for and conduct
because you don’t have to wait for historical data over six months. However, while
Type II reports take more Jme, they are also that much more valuable in the hands
of customers, prospects, board members, partners, insurance companies, and so
on. They report on what you’re actually doing, rather than what you aspire to do.
Because of this added value, my general recommendaJon is to get started early
and work directly toward the Type II report. This approach emphasizes immediate
acJon taken toward improving your security, and because Type II also covers Type
I, there are financial savings in the long term if you start with Type II from day one.

blissfully.com/soc-2 8
The Blissfully Guide to SOC 2 Compliance

Typical SOC 2 Timeline

Why SOC 2 Compliance?

Companies of all sizes can benefit from establishing an elevated level of trust with
customers, prospects, and partners. If you process or store data on behalf of a
customer, you should be concerned with how it’s protected.

The news is full of stories of large companies admiqng to massive security

incidents such as 500,000 leaked passwords, or millions of stolen credit card
numbers. The recovery and cleanup of these incidents can cost in the tens of
millions of dollars, including the clean-up and forensics process, implementaJon of
new controls, and lagging sales due to lack of customer confidence.

Large companies can oZen recover from a security incident like this because they
have the financial resources and brand recogniJon to move past a single slip-up.
Small companies and startups aren’t always so lucky. Loss of a single large
customer due a security compromise, or reputaJonal damage that impacts a
company’s ability to raise addiJonal rounds of VC funding can be devastaJng for a
small or young business.

While there is no way to absolutely guarantee security, the SOC 2 report and Trust
Services framework give companies external validaJon that they are managing
risks appropriately.

blissfully.com/soc-2 9
The Blissfully Guide to SOC 2 Compliance

The Value of SOC 2 as a Vendor

If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out
more than a few security quesJonnaires before you can work with any enterprise-
scale customers. While that might sound easier than a SOC 2 audit on the surface,
the quesJonnaires can be quite detailed and overwhelming, and they are oZen
hard to fill out if you don’t already know the security lingo, have tooling in place,
and know how to document processes. In other words, if you haven’t already gone
through the process of seqng up and enforcing policies as you would for SOC 2,
you may find yourself stuck when the quesJonnaires arrive.

In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and
force you to follow a set of strong best pracJces when it comes to keeping your
company’s and customers’ data safe. Security is (or at least should be) a major
concern for all technology-focused companies today, as we’ve wri^en about in our
previous eBook: Blissfully’s PracJcal Guide to People-First SaaS Security.
Achieving SOC 2 compliance is a good way to demonstrate that you do indeed
have security at heart in all you do as an organizaJon.

blissfully.com/soc-2 10
The Blissfully Guide to SOC 2 Compliance

4 Good Reasons to Pursue SOC 2 Compliance

Regardless of whether customers or prospects are knocking down your door for a
SOC 2 report, it’s crucial to start SOC 2 preparaJon as early as possible. Even if
don’t plan to have an audit conducted for a while, starJng early will set your
company up for success in many arenas.

It Improves Security
The formulaic approach necessitated by SOC 2 will improve your overall security.
This process will miJgate potenJal a^acks while building a strong security process
that will help you win new business by be^er answering risk quesJonnaires.
Security and compliance should be approached as an ongoing process, rather than
a single event, and SOC 2 pushes organizaJons to build sustainable programs.

It Bolsters Company Culture

ImplemenJng new security controls can be tough. People may complain about the
extra Jme it takes to log in to services using mulJ-factor authenJcaJon. However,
the minor annoyances are worth the ulJmate outcome. When it comes to building
a secure and compliant company culture, the smaller and younger you are as an
organizaJon when new processes are put in place, the easier it will be to scale.
Companies as small as three employees have gone through SOC 2 audits. It is also
helpful to automate these processes as much as possible, baking them deep into
your company culture.

It Provides DocumentaSon
It’s never too early to get your documentaJon in order. Do you have policies and
procedures? Do you have internal standards documentaJon? Having these
processes well-documented will improve internal communicaJon and consistency,
which in turn enables you to meet legal and compliance challenges, close more
sales, and prepare for financial changes like a merger or acquisiJon or a new round
of VC funding.

blissfully.com/soc-2 11
The Blissfully Guide to SOC 2 Compliance

It Helps with Risk Management

Finally, preparing for a SOC 2 audit will give you a framework for acknowledging
and miJgaJng risks. Many organizaJons who have not undergone a formal
compliance audit are either unaware of security risks or addressing them in an ad
hoc way. Approaching compliance systemaJcally instead will ensure that even
risks that aren’t top of mind receive a^enJon and can be miJgated in a Jmely
manner.

When to Consider SOC 2 Compliance

It’s a good idea to consider becoming SOC 2 compliant early in your company’s
journey if you know you are going to be selling technological services to
enterprises and will be storing and/or accessing sensiJve customer data of any
sort.

While it can be challenging to undertake a SOC 2 compliance exercise while you

are small and under-resourced, it can actually be even harder to do once you grow
larger. The larger your company is and the further along you are in your growth,
the harder it is to change culture, processes, tools, and more. When you are
smaller, you may not have an IT or security owner, but as soon as you do hire
someone in a role like that, you may want to begin thinking about preparing for
SOC 2 compliance. Sooner is be^er, since it will help you integrate the processes
and controls into your team’s culture from the get-go. In fact, the team at Blissfully
decided to become SOC 2 compliant quite early in our journey.

blissfully.com/soc-2 12
The Blissfully Guide to SOC 2 Compliance

Blissfully: Built for Compliance

Blissfully was created in 2016. Our mission is to simplify how organizaJons
manage IT,

SaaS is taking over the business world, empowering teams to drive producJvity
using apps they love. In fact, Cisco esJmates that 75% of workloads will be SaaS-
only by 2021.

This rise of SaaS has distributed IT management across the enJre organizaJon,
creaJng an overall lack of visibility. While extensive toolsets exist to manage the
tradiJonal IT stack (things like networking, infrastructure, and hardware), no
equivalent existed for the IT business operaJons (SaaS) stack.

That’s why we created Blissfully: to be a real-Jme source of truth, giving teams

visibility into their enJre app ecosystem. We aim to simplify and humanize IT
operaJons so companies can focus on what they do best.

blissfully.com/soc-2 13
The Blissfully Guide to SOC 2 Compliance

Our SOC 2 Philosophy

SOC 2 is a framework to build processes around. Use this guide and the SOC 2
criteria to embed security and compliance into your core culture and business
processes. Developing processes around the common criteria and trust principles
will give you a foundaJon that you can build and scale from, rather than as a once-
per-year scramble for evidence.

blissfully.com/soc-2 14
The Blissfully Guide to SOC 2 Compliance

Our SOC 2 Process

Most companies wait unJl their B or C round (or later) to start tackling key
industry security audits and compliance cerJficaJons. We think that's a mistake.
StarJng early embeds security and compliance into your company culture and
processes from the start, making it easy to grow and scale.

At Blissfully, we undertook our first SOC 2 audit when we were just 5 employees,
over 3 years ago. Strong security is fundamental to our vision of the company we
wanted to build. Our mission is to simplify how organizaJons manage IT, and this
means being deeply embedded in their organizaJon, and having access to
sensiJve informaJon. Geqng companies to work with us requires trust. And
achieving SOC 2 compliance helps us demonstrate to our customers that we are
trustworthy, and take security, privacy, and compliance seriously enough to invest
in it. We did it so early in our company lifecycle because we wanted to create a
culture that treats security as a central tenet from the start, not something that we
bolted on years later with some outside consultants.

The SOC 2 Pyramid

blissfully.com/soc-2 15
The Blissfully Guide to SOC 2 Compliance

We developed the SOC 2 Pyramid to give you a visual representaJon of the SOC
2 Compliance process.

It consists of three levels, the foundaJon are your policies, these document what
you do. i.e. governing the behavior of employees, vendors, contractors, etc. to
meet security requirements.

Above policies are your procedures, these demonstrate how your policies work
opera2onally, i.e. what steps you take in response to key events to manage data.

Finally, the top of the pyramid is proof, supporJng documentaJon that

demonstrates adherence to policies and procedures.

The SOC 2 Pyramid is an excellent way to understand the audit preparaJon

process and to visualize it in such a way that it seems less overwhelming.

In this playbook, we will also explain what documentaJon you will need to stay in
compliance across each of the three categories.

We will also list a bevy of recommended tools to manage the audit process and
ongoing maintenance.

By following this playbook, you can begin to build your SOC 2 strategy and start
to form your project management teams.

blissfully.com/soc-2 16
The Blissfully Guide to SOC 2 Compliance

Policies

All SOC 2 examinaJons include an auditor review of organizaJonal policies.

These policies must be documented and formally accepted.

Each policy is related to a piece of your overall security of company and customer
data.

These are the general policies related to a SOC 2 exam that you must comply
with:

• InformaJon Security Policy

• Access Control Policy
• Password Policy
• Change Management Policy
• Risk Assessment and MiJgaJon Policy
• Incident Response Policy
• Logging and Monitoring Policy
• Vendor Management Policy
• Data ClassificaJon Policy
• Acceptable Use Policy
• InformaJon, SoZware and System Backup Policy
• Business ConJnuity and Disaster Recovery Plan

blissfully.com/soc-2 17
The Blissfully Guide to SOC 2 Compliance

Procedures

These documents describe HOW the business adheres to the policies.

Security procedures must be meJculously wri^en so that any change to the

exisJng workflows in the future can be tested and verified to remain in
compliance.

These procedures will serve as the basis for future audits and include the day to
day implementaJon of your key policies.

For example, your Access Control Policy procedures include requirements for
authenJcaJng users, reviewing user access, using role-based access control and
authorizing, modifying, and removing users.

These procedures also include how access to privileged accounts is controlled, and
the type of access or systems that require two-factor authenJcaJon.

Here at Blissfully, we've created a series of policy and procedure documents that
you can use to make your SOC 2 audit easier. Simply download them in Google
Docs, NoJon, or MS Word, and customize them with specific company
informaJon.

Proof (SupporSng DocumentaSon)

The day-to-day implementaJon of your key policies must be documented

consistently.

Standard tools that help with this can be Google Docs and NoJon to manually
document changes and the procedures surrounding them. This can be a Jme-
consuming task if your records from the past aren't well-organized.

Workflow management soZware like Blissfully, which automaJcally records and

stores, can make evidence gathering a one-step process. Just export your saved
workflows.

blissfully.com/soc-2 18
The Blissfully Guide to SOC 2 Compliance

The Right Approach for Each Common Criteria

The Common Criteria for Informa2on Technology Security Evalua2on, referred to as

Common Criteria, is an internaJonally recognized standard for computer security
cerJficaJon.

Common Criteria is a framework that assures that the process of specificaJon,

implementaJon, and evaluaJon of a computer security product has been
rigorously tested in a repeatable manner.

The goal of Common Criteria is for vendors to make claims about the security of
their products and that independently run tesJng laboratories can determine if
they meet those claims.

Below are the nine Common Criteria that are typically associated with SOC 2
compliance for SaaS providers and vendors.

blissfully.com/soc-2 19
The Blissfully Guide to SOC 2 Compliance

CC1 Control Environment

Framework: Management and CommunicaJons

Goal: Assure that management and the Board of Directors place a high value on
integrity and security.

Details: Management is commi^ed to the security of customer data and takes this
into account when hiring personnel, evaluaJng processes and reporJng
compliance.

The Board of Directors has independent oversight of the management team.

AcJviJes and Deliverables: Ensure management understands SOC 2 and security

and that they manage accordingly. CC1 is accomplished through onboarding
procedures and ongoing training.

AddiJonal ConsideraJons: CC1.4 is to ensure your employees are competent and

trained in security. This is accomplished through your onboarding plan and
company workflows.

SoZware Recommended: HRIS such as BambooHR or Workday, and Blissfully

blissfully.com/soc-2 20
The Blissfully Guide to SOC 2 Compliance

CC2 CommunicaSons and InformaSon

Framework: Management and CommunicaJons

Goal: Create quality policies and procedures to ensure customer data and
operaJonal security.

Establish consistently reliable communicaJons, both internally and externally.

Details: Your organizaJon must generate and use quality informaJon and
documentaJon to ensure secure workflows and controls.

It must also mandate proper communicaJons across all departments and to

external sources like vendors and customers.

AcJviJes and Deliverables: Produce high-quality policies and procedures that are
available through online documentaJon that is easily accessible to staff.

Establish internal tools that will validate secure communicaJon, both internally
and externally.

SoZware Recommended: NoJon, Google Docs, or other communicaJon systems

with audit funcJonality, but email also works.

blissfully.com/soc-2 21
The Blissfully Guide to SOC 2 Compliance

CC3 Risk Assessment

Framework: Risk Assessment, Monitoring, and Control

Goal: Create clear objecJves, analyze risks to achieve objecJves, and monitoring
how procedural changes impact risk.

Details: Specify organizaJonal objecJves enough so that personnel and

management assess current and potenJal risks, including fraud.

Develop procedures to update risk assessment when fundamental changes to

internal systems take place.

AcJviJes and Deliverables: Risk assessment processes that have corresponding

documentaJon that is readily available to stake-holders. This includes regular
updates and audits to both the risk assessment and the outcome of the
evaluaJon.

Key Documents: Risk Assessment Tracking

SoZware Recommended: NoJon, Google Docs, or other

blissfully.com/soc-2 22
The Blissfully Guide to SOC 2 Compliance

CC4 Monitoring AcSviSes

Framework: Risk assessment, monitoring, and control

Goal: ConJnually monitor, evaluate, and communicate the effecJveness of

internal controls to accomplish the overall mission of securing data.

Details: CreaJng ongoing evaluaJons of controls that communicate deficiencies,

both internally and externally, when appropriate.

AcJviJes and Deliverables: Evidence that shows risk control acJviJes and defined
risk management procedures.

Policies and Procedures: NoJon, Google Docs, or other.

SoZware Recommended: Company workflows (usually department-specific) to

easily export evidence (e.g., JIRA or Clubhouse for engineering, Github for
infrastructure, AWS, etc.)

blissfully.com/soc-2 23
The Blissfully Guide to SOC 2 Compliance

CC5 Control AcSviSes

Framework: Risk assessment, monitoring, and control

Goal: Develop precise process controls and using technology to achieve company
objecJves while miJgaJng risk.

Details: The company develops controls for both workflow processes and
technology tools to miJgate risk while sJll achieving pre-defined objecJves. Also,
defining transparent policies to establish expectaJons and procedures to ensure
compliance.

AcJviJes and Deliverables: Provide documentaJon showing risk control acJviJes

and proving risk management procedures were followed.

Key Documents: Risk Management Procedures

SoZware Recommended: Technology Management that includes vendor

management and related workflows to track employee acJvity, e.g., Blissfully, plus
HRIS/Employee Tracking such as BambooHR, Workday, or Checkr to maintain
physical access records.

blissfully.com/soc-2 24
The Blissfully Guide to SOC 2 Compliance

CC6 Logical and Physical Address

This is a big one. What we typically think of as “Security”. Possibly the most
important CC.

Framework: The security of the physical premises where the organizaJon houses
data is the most important and in-depth.

Goal: Ensure only the right people have access to criJcal data, secure and encrypt
data at all Jmes, and physically protect servers storing data.

AcJviJes and Deliverables: Providing sound security pracJces for physical servers,
workstaJons, and employees, and evidence that these pracJces are working.

SoZware Recommended: Employee Access Control and On/Off-boarding

procedures (Blissfully + Okta + HR Department)

blissfully.com/soc-2 25
The Blissfully Guide to SOC 2 Compliance

CC7 System OperaSons

Framework: Robust Servers and Infrastructure

Goal: Ensure compliance systems are working; includes ongoing monitoring,

incident response and evaluaJon, and disaster recovery.

AcJviJes and Deliverables: Evidence showing Business ConJnuity and Disaster

Recovery plans, and documentaJon showing that they work.

Key Documents: Business ConJnuity and Disaster Recovery Plan and Incident
ReporJng.

SoZware Recommended: Infrastructure systems such as AWS, Google Cloud, or

MicrosoZ Azure

blissfully.com/soc-2 26
The Blissfully Guide to SOC 2 Compliance

CC8 Change Management

Framework: Infrastructure Change Management

Goal: Changes to technical infrastructure are well tested and approved before
going live.

Details: The enJty authorizes, designs, develops or acquires, configures,

documents, tests, approves, and implements changes to any infrastructure, data,
soZware, and procedures to meet its objecJves.

AcJviJes and Deliverables: Clear controls for how technical infrastructure (The
System) changes, and evidence the changes were tested before going into
producJon.

SoZware Recommended: Github for pull requests and a task manager such as
Clubhouse or JIRA for engineering workflows.

blissfully.com/soc-2 27
The Blissfully Guide to SOC 2 Compliance

CC9 Risk MiSgaSon

Framework: Risk MiJgaJon and Vendor Management

Goal: MiJgate risk through defined business processes and vendor management.

AcJviJes and Deliverables: Business ConJnuity, business insurance, vendor

management, including vendor due diligence and management, especially for
cloud-hosted vendors.

Key Documents: Vendor processes, assessments, and approval from key

management personnel.

Recommended SoZware: SaaS Management SoZware such as Blissfully can help

miJgate risk across the organizaJon.

blissfully.com/soc-2 28
The Blissfully Guide to SOC 2 Compliance

How Blissfully Helps with SOC 2

Compliance
Internal Workflows

SOC 2 CC1: Control Environment

Workflows are at the heart of every organizaJon. As an organizaJon grows from
two people to five to ten, and so on, these workflows can introduce security
loopholes. SOC 2 CC1 addresses your control environment, of which workflows
are a component.

blissfully.com/soc-2 29
The Blissfully Guide to SOC 2 Compliance

Blissfully's workflow suite includes predetermined workflows for the most

common business tasks, including employee onboarding, owoarding, vendor
requests, approvals, renewals, and terminaJons. It also includes the ability to
build, save, and repeat your own customized workflows to match your parJcular
internal processes.

When you use Blissfully for SOC 2 compliance, all your workflows are
documented as exportable logs. When you decide to undertake a SOC 2 audit,
you can easily pull these logs and present them as evidence to your auditors.

Vendor Management

SOC 2 CC5: Control AcSviSes

As menJoned earlier, the average mid-sized company uses 120 SaaS tools. That’s
a lot of vendors. Lack of visibility into who all these vendors are and how they
interact with your company can be grounds for SOC 2 noncompliance.
Maintaining unwieldy spreadsheets, while a common standard, fails to capture
crucial real-Jme data regarding your vendors.

Blissfully solves this through a vendor management module. Within the module,
you will find four essenJal tools to help you meet your compliance objecJves:

Vendor management workflows

Under SOC 2, the control acJviJes CC includes how you manage the enJre
vendor lifecycle. Our vendor management workflows tool gives you visibility on
your enJre vendor network. It also gives you the tools to delegate purchasing,
downgrade, and upgrade rights to selected roles while maintaining an audit trail.

Document management
The vendor workflows module creates an audit trail using an intuiJve document
management system. As you consume SaaS resources, we listen in on all your
subscripJons and collect and organize all your contracts, SLAs, invoices and other
important documents. Such a documentary audit trail is vital during a SOC 2 audit.

Enrichment
Do you know whether your vendors have SOC 2 compliance? How about GDPR,
ISO 27001, and CCPA? Blissfully pulls in vendor compliance statuses right into
your vendor dashboard. With this data, you can curate a compliance matrix across
your enJre vendor network, an exercise crucial to demonstraJng vendor
compliance.

blissfully.com/soc-2 30
The Blissfully Guide to SOC 2 Compliance

Renewals
Blissfully vendor management brings in all your renewal data to one place. With
such access, you can evaluate vendors for compliance factors before renewing. In
this way, using Blissfully for SOC 2 transforms renewals from a passive acJvity
into an acJve compliance-centered acJon.

SaaS Discovery, Security, and Monitoring

SOC 2 CC6: Logical and Physical Access Controls

While the broader CC6 framework considers both logical and physical access
controls, Blissfully helps you manage logical access controls. We do this by giving
you enhanced visibility of all the third-party apps in use at your organizaJon.

App discovery and tracking give you a single source of truth as support for your
SOC 2 compliance documentaJon.

Moreover, security monitoring provides ongoing access control data collecJon

crucial to your SaaS security audit compliance. If a new app is added to your
organizaJon or there’s a user state change, Blissfully captures this data as
exportable acJvity logs.

Through this data, you can demonstrate the measures you have taken to modulate
logical access control across all your organizaJon’s apps. Using Blissfully for SOC 2
compliance gives you a centralized view of all third-party SaaS apps in use in your
organizaJon, and tools to help you manage how your personnel interacts with
them.

blissfully.com/soc-2 31
The Blissfully Guide to SOC 2 Compliance

SaaS Codex and System of Record

SOC 2 CC9: Risk MiSgaSon

One of the challenges companies face when creaJng a risk miJgaJon plan is the
lack of a system of record. A system of record is a single source of truth providing
transparent, auditable data about a process within an organizaJon.

OrganizaJons using different SaaS products without a point of convergence

struggle to create a unified system of record. Blissfully solves this by providing a
converged system of record comprising an extensive SaaS codex with a robust
system of record.

Here’s how it works.

You have mulJple vendors. Blissfully collates all these vendors and pulls vendor
data from the SaaS codex. Blissfully then automaJcally collects and compiles
usage data on each. Such data will include users, admins, access rights, costs, and
others.

With this data, we create for you a complete picture or system of record of your
enJre organizaJon’s app ecosystem and usage. From this snapshot, you can create
and enforce risk miJgaJon measures.

As you undertake risk miJgaJon measures, using Blissfully for SOC 2 will help you
maintain a real-Jme system of record ready for your next audit.

blissfully.com/soc-2 32
The Blissfully Guide to SOC 2 Compliance

In Summary
Using Blissfully for SOC 2 gives you the tools to help you meet requirements
across four of the nine common criteria. Underpinning all these tools is an
integrated system of record. Through this system of record, Blissfully gives you
real-Jme insights and data into your SaaS ecosystem.

Using these insights and data, you can generate reports usable as credible proof
towards your SOC 2 compliance. Whether you are seeking SOC 2 compliance or
need greater visibility and control over your SaaS app ecosystem, Blissfully gives
you the tools to drive your agenda.

SOC 2: Everything You Need

In addiJon to this guide, Blissfully maintains

a set of always up-to-date resources
including templates, guides, new Jps, and
more. Find them all at blissfully.com/soc-2.

Learn More

blissfully.com/soc-2 33
The Blissfully Guide to SOC 2 Compliance

TM

www.blissfully.com
AAA AAA AAA AAA
AAA AAA AAA AAA
AAA AAA AAA AAA

blissfully.com/soc-2 34