How Nylas Got SOC 2 Certified and Why it Matters

Nylas set to out achieve SOC 2 certification for the trust principles of security and confidentiality. We're happy to share our certification process.


Back in 2013, Nylas was a small startup in a sea of other API-based companies. Now, developers, startups, entrepreneurs and enterprises all trust Nylas to power their mission critical applications every day.

Trust is earned, not engineered. But, careful engineering actually plays a critical role in growing and maintaining customer trust. This is why we are incredibly happy to announce our SOC 2 certification for security and confidentiality.

 

21972-312_SOC_NonCPA
 
What is SOC 2 anyways?

To those unfamiliar, SOC 2 may sound like just another acronym. In reality, it’s a whole lot more than that. SOC 2 stands for System and Organization Controls. That encompasses everything from how you run your engineering systems, to HR processes like updating job descriptions, and onboarding new hires.

SOC 2 represents the highest degree of excellence in systems and operations control. Think of it as a gold medal. A company can pursue SOC 2 certification in different areas of their organization - Security, Availability, Processing Integrity, Confidentiality and Privacy just like an Olympic team goes for gold in different sports. In SOC 2 terms, these areas are called trust principles.

Late last year, Nylas set out achieve SOC 2 certification for the trust principles of security and confidentiality. Today, we’re certified. This is how we got there.

A pre-SOC 2 snapshot of Nylas’ operations

We work on the Nylas platform everyday. In order to examine the Nylas platform with complete objectivity, we brought in a fresh set of eyes (and experts) to help us map a path forward that ensured both compliance, and best practices for the future.

That’s where the auditors come in. We worked with A-LIGN’s team to achieve SOC 2 certification.

The first step in the process is getting a sense of the distance between your current operational processes and SOC 2 compliant processes. A-LIGN asked our team hundreds and hundreds of questions regarding the trust principles of security and confidentiality to identify what worked and what needed improvement.

A-LIGN gave us a proverbial snapshot of where we were and pointed us in the right direction of SOC 2 compliance. It was up to us to figure out how to get there.

Engineering for security and confidentiality

The reason we chose to work for security and confidentiality certifications is because of our commitment to reliability, transparency, and accountability. Those two trust principles essentially focus on handling sensitive information properly, and building rock solid processes to defend and secure that sensitive information.

When paired together, SOC 2 security and confidentiality principles ensure that our users know we’ve built a reliable infrastructure that’s well-documented, and that there’s a team transparently evaluating the performance of that infrastructure.

Building a road map to SOC-2 compliance

After meeting with A-LIGN, we began mapping out how we would build SOC 2 compliant systems and processes. Our engineering team worked cross-functionally with various other departments to come up with a game plan and put it into practice.

There are no participation trophies for attempting SOC 2 certification. You’re either certified or not. That same black and white principle applies to the SOC 2 processes you build to achieve your certification — you follow them or you don’t. Audits are annual. There are no cheat days.

After we built SOC 2 compliant processes, we followed them religiously. This covers everything from ensuring that there’s tiered access to PII data, to protecting Nylas’ internal confidential data.

For example, if it’s your first day on the job as a designer, it’s unlikely you’ll need to review sensitive customer data. Building tiered account access ensures that you cannot access customer data unless it’s material to your job. The principle of information security must be backed up by a system to enforce it. That system has to be followed to the letter, everytime.

A few months later, A-LIGN did a formal audit to see how we had built SOC 2 compliant systems and if we followed the proper processes managing those systems. Like before, we answered hundreds and hundreds of questions about security and confidentiality. To prove that we actually followed our policies, we also submitted evidence that validated that we followed our established checks and balances. At the end of the audit, we were determined to be SOC 2 compliant in those two areas.

The road ahead

If there were some sort of trophy for SOC 2 compliance, we’d put it on display. Not for us, but for our customers. This certification ensures that customers can build for the future on the Nylas platform and do so with confidence.

Our customers, and their users, send data to and receive data from Nylas. In that sense, Nylas functions like an API-powered bridge, connecting applications to businesses, businesses to customers, customers to their favorite companies. We’re making sure that bridge gets better everyday. We’re working to become certified in additional trust principles, reviewing ISO27001 certification, while maintaining our current SOC 2 certification in future audits. SOC 2 compliance in security and confidentiality is just one critical step in that journey.

About Author

Tomasz Finc

Tomasz is the VP of Engineering at Nylas. He previously worked at Wikimedia and Amazon building agile teams and products. He studied at Berkeley and is often found chasing around his daughter.

Subscribe to Engineering Blog Updates

Start Developing Today

Connect up to 10 accounts (email, calendar, and contacts) for free today.

Start Free Trial