System and Organization Controls
Smartsheet System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how Smartsheet achieves key compliance controls and objectives.
These reports are intended to provide Smartsheet customers with detailed information and assurance about the controls at Smartsheet relevant to security and the availability of the systems Smartsheet uses to process users’ data and the confidentiality of the information processed by these systems. Smartsheet currently has the following reports available to customers:
- Smartsheet SOC 2 Type 2, available to current or prospective customers through our Security and Governance request form
- Smartsheet SOC 3, publicly available report from the Smartsheet assessor
Questions about Service Organization Controls
What is a SOC2 Report?
Increasingly, businesses outsource basic functions such as data storage and access to applications to cloud service providers (CSPs) and other service organizations. In response, the American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. This aligns with the International Standard on Assurance Engagements (ISAE), the reporting standard for international service organizations.
A SOC 2 audit gauges the effectiveness of a CSP's system based on the AICPA Trust Service Principles and Criteria. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 and SOC 3 reports.
At the conclusion of a SOC 2 audit, the service auditor renders an opinion in a SOC 2 Type 2 report, which describes the CSP's system and assesses the fairness of the CSP's description of its controls. It also evaluates whether the CSP's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
What is a SOC3 Report?
Auditors can also create a SOC 3 report — an abbreviated version of the SOC 2 Type 2 audit report — for users who want assurance about the CSP's controls but don't need a full SOC 2 report. A SOC 3 report can be conferred only if the CSP has an unqualified audit opinion for SOC 2.