One of our core values at Stack Overflow is adopt a customer-first mindset. This means we keep our customers at the front of our minds and seek to authentically serve them through our work. Security is the foundation of the products we build, and we want you to feel absolutely secure and comfortable using them in your own organizations. To demonstrate our ongoing commitment to security and our customers, our hosted Enterprise plan has been SOC 2 Type II compliant since 2020, and we’re excited to now offer this on our Business plan.
The end result of this process is a SOC 2 Type II report that customers can request, which attests that the security controls that we say we have in place do the things we claim they do and meet a known standard.
We have had the following security controls in place on our hosted Enterprise plan since 2020 and now for our Business plan:
Hosted Enterprise plans:
- Encryption on all storage and traffic—at rest and in motion.
- GDPR compliant & Standard Contractual Clauses for data transfers
- Clients can use their own SAML 2.0 Identity Provider (IdP) to ensure no one else sees their credentials.
- ISO27001:2013 (including 27701) certification
- Single-tenant environment
- SOC 2 Type II report
Business plans:
- Encryption on all storage and traffic—at rest and in motion.
- GDPR compliant & Standard Contractual Clauses for data transfers
- Clients can use their own SAML 2.0 Identity Provider (IdP) to ensure no one else sees their credentials.
- SOC 2 Type II report
What exactly is a SOC 2 Type II report?
A SOC (Service Organization Controls) 2 Type II report attests that the controls that we put in place match established and trusted requirements—including applicable international security standards—and are effective at doing what we say they are doing. The SOC 2 examines the policies and controls around security, availability, processing integrity, confidentiality, and privacy. There are two SOC 2 reports; Type I confirms sufficient and necessary controls are in place, while Type II tests control effectiveness over a sustained six month period.
To perform the review, we hired an independent security audit firm experienced in compliance standards. They requested and collected evidence of our compliance with the required controls. The controls provide defenses against security threats. We repeat this process every year and receive an updated report every year.
What did we do to prepare for the report?
While we can’t tell you the exact controls we put in place—we’d need an NDA from you because of our security policies—we can say that we started from a solid foundation. Our information security program has based its measures on ISO 27001, the international standard framework for information security management controls. So we had a head start.
Our Director of Information Security, Lynn Ballard, was impressed with how security-minded Stack Overflow was when she got here. We’re a company built on a community, so trust is important to us. But Ballard said that trust isn’t always enough.
“Many companies don’t build security into their processes. People at Stack Overflow really get security,” says Ballard. “Completing our SOC2 audits, first for our hosted Enterprise plan followed by our Business plan, was simply the formality of documenting it, the procedure, making sure people are trained, and then proving that we implement security appropriately.
“We implement controls to not only show our community and customers that we’re serious about security, but to have a framework that we can measure over time to ensure we have continuous improvement in our security program. The open and honest culture we've built over the years is great, but customers are going to want more than our word, that’s where a third-party evaluation comes in and provides that peace of mind.”
"The open and honest culture we've built over the years is great, but customers are going to want more than our word, that’s where a third-party evaluation comes in and provides that peace of mind.” Lynn Ballard, Director of Information Security at Stack Overflow
With Stack Internal, we’ve created the best way to collaborate and share your proprietary knowledge amongst your team. The information your organization shares there is precious and proprietary, and we make sure that information is secure from external threats.
But don’t take our word for it; we're ready to share our SOC 2 Type II report and so you can see the proof yourself.