Providing software for your employees and customers is as easy as visiting a website, creating an account, and entering a credit card to pay. Software delivered as a service, without the need to download and install on individual devices, provides tremendous flexibility and efficiency, as the organization generally only pays for what it needs, and does so incrementally (i.e., on a monthly subscription basis).

Without the need to worry about storage or security issues, an organization can often be up and running with new software within days or even hours. However, at issue is that cloud-hosted software usually means that the organization has limited control over its data. This lack of control can become a significant liability to your company, especially if the data in question belongs to your end users, such as customers. 

In the event of a data breach committed by the provider, you will be the one held accountable to customers and you will incur any and all liabilities. Therefore, ensuring the security, integrity, confidentiality and privacy of your sensitive data should be of extreme importance.

SSAE 16 Security

Statements on Standards for Attestation Engagements No. 16 (SSAE 16) Effective in mid-2011 is an auditing standard superseding the former SAS 70 standard. SSAE 16 auditing standards require companies, like data centers, to provide a written report that describes any and all controls at organizations that provide services to customers when those controls are likely to be relevant to user entities’ internal control over financial reporting.

These reports are requested on a regular basis as part of risk management reporting, generally for large companies that must measure and report on risk management for their shareholders and other stakeholders. Most organizations today use dozens, if not hundreds, of different apps, hosted by third-party companies and delivered via the internet, that capture and store corporate and customer data.  

When those organizations find themselves needing to provide reports of their risk management exposure, they ask their vendors, such as their CRM and document hosting provider, who in turn ask their data center, for reports on security. The security standards and auditing standards for those reports are driven by SSAE 16.

SOC Security

Service Organization Control (SOC) reports were created by the Association of International Certified Professional Accountants (AICPA) in order to set compliance standards and keep pace with the rapid growth of cloud computing and organizations using outsourced, third-party SaaS vendors.

In this way, organizations can be provided with audited reports on the security posture of their SaaS vendor or hosting provider. This SOC audit is important when data security is an issue, or in financial reporting when risk management is a consideration.

The SOC 2 is a report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality, and privacy of a system. The Service Organization Control report ensures that your data is kept private and secure while in storage and in transit and that it is available for you to access at any time. This is a critical SOC report for any type of data that you entrust with a third-party provider, whether it includes sensitive financial data or patient medical records. Data in different industries falls under other compliance rules and controls, such as HIPAA for medical records and credit card transaction data for PCI DSS. 

The SOC 2 report will verify, for example, a cloud-hosting provider’s ability to keep the records stored safely online and the identity of your customers private and secure and in line with your own Privacy Policy.

Trust CapLinked to protect your confidential information and streamline your workflow.


2 Key Advantages of SOC 2 and SSAE 16 Combined

With the SSAE 16 and SOC 2 standards and reports in place, organizations receive multiple benefits.

  1. Builds Trust

With so many apps, vendors, data centers, endpoints and networks, there needs to be a single source of truth regarding security. These industry standards (SSAE 16 and SOC 2) bring trust and provide peace of mind to companies concerned about the potential misuse or compromise of their sensitive data.

  1. Reduces Confusion

By having an industry standard driving the audit of data security and privacy, organizations do not need to hire their own IT security auditing team. This reduces time and money investing in resources that can already be taken care of by a trusted third party.

How CapLinked Increases Security and Overall Deal Value

Virtual data rooms (VDRs) must be secure in order to prevent the misuse or compromise of sensitive data and documents during the due diligence process of an M&A or private equity transaction. Work with a provider that can easily demonstrate SOC 2 compliance for peace of mind and a smooth process.

Executives, bankers, accountants and their consultants require a solution to manage the flow of document sharing and reviewing in a safe environment. A VDR from CapLinked facilitates due diligence and document management for transactions in the areas of mergers and acquisitions (M&As), private equity and venture capital, supporting bankers, lawyers, accountants, investors, consultants and company owners with the accessibility and security they need.

Start your free 14-day trial of CapLinked today!

Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, Jake covers such topics as security, mobility, e-commerce and IoT.


Association of International Certified Professional Accountants (AICPA) – Clarified Statements on Standards for Attestation Engagements

Schellman – What are Service Organization Controls (SOC) Reports? – SSAE 16, SSAE18, SOC 1, SOC2: What they are and why you should care

NDNB –  SSAE 16 Type 2 | Important Points You Need to Know About

SSAE – 16 – SOC 2 Report – Trust Services Criteria