Deciding which CLM vendor to use for your in-house contract management processes and storage is a big task on its own without having to worry about whether or not the vendors you’re considering are secure. At Lexion, we became SOC 2 compliant so you can easily trust that our systems and your information will be safe with us. For the record, our team has always prioritized security of our customers’ data and our own processes and SOC 2 compliance just offers another layer of commitment to our customers.
This article explains what SOC 2 is, why it should matter to legal teams in their vendor evaluations, how we think about security at Lexion, and provides you with a checklist to get ready for the information your IT department will ask you to do during your vendor evaluations.
What is SOC?
SOC is an abbreviation for Systems and Organizations Controls developed by the Association of International for Certified Professional Accountants (AICPA). A SOC report is the result of an intense evaluation by an external auditor. There are actually two different types of reports that are produced after an audit:
A SOC 1 report is specifically for internal controls over financial reporting. It attests that a service organization meets the criteria of a set of financial controls. It can further attest to the company’s operating efficiency and design over a time span.
A SOC 2 report demonstrates that a service organization has secure control over the systems and processes that handle its customers’ private or sensitive data. SOC 2 reports are also described as the Trust Services Criteria for security and privacy. The most common modules included are:
- Security. Information is safe from unauthorized access and damage during both processing and storage.
- Availability. Systems remaining operational, are monitored, and adequately maintained.
- Confidentiality. Sensitive information is protected according to standards set by legal regulations or contracts between parties.
Your IT Security Checklist
All vendors will tell you that they prioritize privacy and security but SOC is the official stamp that proves it. That’s why your internal IT team will want to know your vendors are SOC compliant. They’ll also likely want to know all of the following about vendors you are considering:
- Are they SOC compliant? As of December, 2021, Lexion is SOC 2 compliant. We’re happy to provide our SOC 2 report to you as you evaluate us as a vendor. Just ask your Lexion Account Executive or note it as part of your demo request.
- Will they complete a security questionnaire? We make this really easy for you with a pre-built one ready at your request that contains answers to all the questions your IT department is likely to have for us. We can also customize answers depending on your specific needs. Again, reach out to your Lexion AE to see our standard security questionnaire.
- Do they use offshore staff or contractors? Lexion’s intelligent AI replaces the need for an army of people to onboard all your contracts into the system. Not all CLMs (in fact most don’t) have AI doing the labor-intensive work of importing contracts. Many, in fact, subcontract that work out to offshore vendors. You will want to make sure any vendors you work with have full control over the access to your data, which means access control and training for all employees. When vendors use offshore help, you have no idea if that person is working on a public computer or network, for example in an internet cafe somewhere with anyone looking at their screen over their shoulder and seeing all your company’s confidential information. As an added bonus, our intelligent AI is immensely faster at onboarding contracts than a team of offshore workers can be.
- Are there people in charge of Privacy and Security in their organization? At Lexion, our CTO, Emad Elwany, also serves as our privacy and security officer.
- Has a risk assessment been completed within the past 12 months? Lexion’s was completed in December, 2021.
- Have they had a penetration test performed by a reputable 3rd party vendor? Lexion’s was completed in September, 2021 by the prestigious firm NCC Group.
- How do they align to Trust Services Principles? (i.e. antivirus, backups, disaster recovery, encryption, intrusion detection, logging, monitoring, vulnerability scanning, etc.). The specifics are available in our security questionnaire and SOC 2 report and you can also visit the security page of our website for a high-level overview.
Lexion Goes Above and Beyond SOC Standards
For many vendors, going through a SOC audit is a painful process that shines the light on tons of work to be done to achieve the required security levels. At Lexion, going through our own SOC audit was actually pretty painless as we were basically compliant already. That’s because we already went way beyond the requirements to pass the audit in almost all areas of our business. With everything already in place, from strong encryption and certified data centers, to application security and regular audits, our customers’ data has always been secure.
Most of the changes we needed to make centered around our internal processes with employees. Specifically, security training for all employees, controls over which employees have access to which systems and data, and monitoring of security settings on employee computers.
Now, all employees have to go through high-level security training on a regular basis and maintain their computer settings at approved security levels.
Unlike some other vendors, Lexion truly prioritized data privacy and secure processes from day one of developing our software service. You can trust that your data is safe with us. It will only be used for intended purposes and will never be shared with any other parties without your explicit consent.