In August 2023, Felix achieved SOC 2 Type 1 certification and GDPR compliance, an exciting moment for us as we continue to hold ourselves to the highest standards for data security.
As Felix gains more and more interest from customers across the globe, it’s imperative that we uphold to the security and privacy safeguards that are recognised internationally, including SOC 2 in North America, and GDPR in Europe.
SOC 2 is a security framework developed by the American Institute of Certified Public Accountants (AICPA) to demonstrate the security processes and controls in organisations such as Felix. By being compliant, all our product and service-related systems meet industry-standard security and privacy protocols. SOC 2 focuses on five Trust Services Criteria (TSC) – security criteria, system availability, data confidentiality, and privacy requirements for handling personal information.
To hold this compliance, companies must be audited by an independent certified public accountant who works with the company on an assessment and determines whether the company meets the appropriate standards established by the American Institute of Certified Public Accountants (AICPA).
Being SOC 2 compliant shows that Felix has the governance, infrastructure, and systems in place to protect customer information from unauthorised access both from within and outside the company.
General Data Protection Regulation (GDPR) protects the privacy rights of individuals in the European Union (EU) and European Economic Area (EEA) by giving them control over how their personal data gets used online. It also sets specific rules and principles that businesses worldwide must follow to process that data legally.
The GDPR outlines several rules and principles that organisations such as Felix must follow, and any breaches can result harsh fines. Felix had always been open on what personal data we collect and process them only for the purpose explicitly specified in our Data Protection and Privacy Policies.
We now have more granular controls and safeguards to ensure our users' personal data will not be processed beyond the stated purposes unless further processing is considered compatible with the purposes for which the personal data was originally collected. We have also introduced the necessary processes to handled changes of consent, withdrawal of consent and other consent related data requests.
Felix achieving GDPR compliance demonstrates how serious we are in terms of protecting user data as GDPR has higher requirements to that of the Australian Privacy Act (1998).
In April 2023 we began the process for Felix to be recognised as compliant for SOC 2 Type 1 and GDPR. As we are already ISO 27001 certified, this foundation meant we could achieve compliance much faster as most of the groundwork was already done.
The journey mostly involved developing new processes for data protection and privacy to align with the additional requirements of SOC 2 and GDPR. One major change to achieve GDPR compliance was the introduction of a more in-depth Privacy Impact Assessment during product development.
The way AssuranceLab, our cybersecurity audit partner, conducts audits suited how Felix operates, speeding up the process. The audit was conducted in an agile manner and over the course of four months, various controls were progressively audited.
Our audit was completed on 27 July 2023 and the report confirming that we achieved SOC 2 Type 1 certification status and GDPR compliance released just three weeks after.
Felix will be looking towards SOC 2 Type 2 certification in the next 12 months.
While a SOC 2 Type 1 certification evaluates Felix’s cybersecurity controls at a single point in time, a SOC 2 Type 2 report will examine how well our system and controls perform over a period of time. Type 2 audits can take 12 months to complete and are more comprehensive.
Learn more about Felix’s Security and Compliance measures, or contact us to learn more about how SOC 2 and GDPR compliance works and how we adhere to it.