We’ve been known to cut up a little bit in our blogs and do the most. But today, we’re talking about something that is no laughing matter: the safety and security of your data and messages, whether you’re an email service provider (ESP) or direct sender.
Cyberattacks are increasing in frequency and the potential damage of just one can be devastating to an organization. While no business is completely safe from the latest threat technology, it’s absolutely essential to stay committed to safety and be aware of evolving strategies from bad actors using a multi-layered defense.
Since privacy and security are not things to skim over when evaluating a service provider, we’ll lay out what we offer to our senders to ensure you know we are “doing the most” in a good way.
SOC 2 Type 2
Let’s start with the biggest step we can take. Not everyone is SOC 2 Type 2 certified. We are happy to report we are.
Developed by the American Institute of CPAs, SOC 2 is an auditing procedure to prove an organization handles data in a secure manner to protect users and, ultimately, to protect the organization itself.
There are several badges of honor you can earn to prove your commitment to data diligence, but the most important today is SOC 2 compliance.
What is SOC 2 Type 2?
We’ll be totally frank with you here. SOC 2 certification is highly complex. Because this information is important and very specific with lots of nuance, we’ll supply it verbatim from the American Institute of CPAs to ensure we’re representing the criteria accurately.
Below are the main categories in which all the relevant processes and procedure live within. For full details, click here to get to the full Trust Services Criteria document and start your journey on page 5. Following that brief overview, you’ll see the in-depth checklist against which organizations are evaluated.
Here those are:
- Security
Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
- Availability
Information and systems are available for operation and use to meet the entity’s objectives. They address whether systems include controls to support accessibility for operation, monitoring, and maintenance.
- Processing integrity
System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation
- Confidentiality
Addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives.
- Privacy
Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
SOC 2 Type 2 security is a must-have today…except some don’t have it.
Today, data security isn’t a luxury to offer your users at a premium. It is the absolute bare minimum you should provide within your core services. There’s no excuse to not be diligent with user information, especially when the stakes are so high.
Just ask Twitter (sigh, X). Or Uber. Or DoorDash.
But for us at SocketLabs, as an email sending solution, we are not only responsible for the data of our customers, but we also service other email service providers who have their own customers with THEIR own data. MailChimp found out a little something about this in 2022.
It’s like data Inception. It’s a huge responsibility and we take it very seriously, and because we know you do too, we go above and beyond as a partner.
Since we are SOC 2 Type 2 certified, we’ve proven our standards are actioned, our data is secure, and there is proof it is not simply theoretical; we follow the practices we preach.
And let’s be honest. SOC 2 Type 2 is a bare minimum for us. We’ve been hyper security-focused since the beginning of this company and it’s not something we will backslide on, ever.
GDPR Adherent
Considering it became effective in 2018, the General Data Protection Regulation (GDPR) sounds like old news. Wrong. It’s still a very highly enforced piece of legislation.
Here’s our original write-up about GDPR and how it affects the email world at large.
Whereas SOC 2 Type 2 compliance can be considered a nice-to-have, this is certainly not similar. If a sender fails to adhere to GDPR standards, they could be subject to a very hefty fine. Need a shocking example?
Meta was fined 1.2 billion Euros in May 2023. Certainly, Meta is not hurting for cash, but the size of the fine is staggering.
GDPR isn’t only about data privacy; it’s about safeguarding the trust of recipients and senders alike. SocketLabs operates as an ESP for both direct senders and those sending for others, so we have double the responsibility to ensure GDPR compliance. If you’re an ESP using our platform, you need to be strict about your senders’ data practices. If you’re a sender who isn’t sending compliant mail, we can and will cancel a contract if remediation isn’t evident. We just don’t play around with data security.
CASL Adherent
Canada doesn’t play around either. They also created and enforce a data security policy similar to GDPR called Canada’s Anti-Spam Legislation (CASL). Love it, can’t get more direct than that. It decrees while you can still send marketing mail (of course), it needs to clearly be marketing mail and adhere to several GDPR-like standards in order to be compliant with the law.
Here are the full details in case you want more granular guidance.
At the end of the day, if you’re following the standards set by GDPR, which include the most stringent data protection rules, you’ll be CASL compliant by default. They’re similar in nature and similar in scope, where if you’re mailing to Canada from anywhere in the world you are required to be CASL-compliant.
From our perspective, respecting our Acceptable Use Policy also means respecting our commitment to safe mail.
CAN-SPAM Adherent
Unfortunately, this isn’t saying too much in regard to safety. GDPR is much stricter and more effective than American laws regarding data privacy and protection. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
(CAN-SPAM) is, unfortunately, close to a license to spam so long as you aren’t doing something egregious. And, even if you’re doing something at a high volume, the monetary punishments have been historically lower. Amobee ended up paying nearly $5 million in CAN-SPAM violations but that’s still below an 8-figure punishment or higher. That’s not to say it can’t climb higher, because the fees are assessed per email or recipient, but it’s not often enforced to the GDPR degree.
You cannot operate with spammy practices when you’re an American business sending mail to the EU but you can be spammy when sending to the United States. For GDPR, it doesn’t matter where the email originates, so long as it concerns an EU resident and their data is involved. You need to comply. Here, you can send CAN-SPAM compliant mail to anyone, provided they’re in the U.S.
As such, we require you to comply with CAN-SPAM. Any email violating the guidelines set by GDPR will be addressed. We have an acceptable use policy outlining our requirements to use our platform. An added layer of complication is for our ESP users. You need to be enforcing your own compliance as well, because any of your senders violating the policy will put your contract with us in jeopardy.
CCPA Adherent
While California is in the United States, they determined CAN-SPAM was not sufficiently protecting their residents. They drew up and enacted legislation similar to GDPR called the California Consumer Privacy Act. Here’s the document outlining the guidelines and the consequences of failing to comply.
Fines are structured similarly, with a per-consumer fine of up to $7,500 if the violation was proven to be intentional. Most people aren’t sending suspicious mail to 10 people, are they? The numbers add up.
We require CCPA compliance for the exact same reasons as GDPR and CASL. In fact, we formalized CCPA adherence by adding an addendum to our agreement absolutely prohibiting the sharing of data not in compliance with the legislation.
The risk of poor practices leading to jeopardized data is too great to play around with. It’s a shared responsibility to treat data breaches and dangerous emails designed to access that data very important. You can trust we take it as seriously as you do (or should.)
In Closing
Just like SOC certification, email operates on trust. The quality of your email partners can have a significant positive or negative impact on your outcomes.
When partnering with us, we have a strict expectation: Don’t send any mail not adhering to our Acceptable Use Policy. That’s really our standard of security overall. We ourselves go the extra mile to ensure we’re a safe and secure location to store personal data of both our senders and their senders, no matter who they may be.
When you send with SocketLabs, you can take comfort knowing we’re certified safe to the highest degree, and we expect the same level of quality to apply to the practices of our senders. We’re a good provider to partner with, we can assure you.