Today, we announced that Tetra Data Platform (TDP) has achieved Service Organizational Control Level 2 (SOC 2) Type 2 Security validation. SOC 2 Type 2 is a widely-accepted standard developed by the American Institute of Certified Public Accountants (AICPA) — a top-down best practices compendium for building and operating secure services (e.g., cloud-resident, mission-critical applications like TDP). Alignment with the standard is attested to in a report, produced by an independent auditor after months of preparation and active evaluation, and the process will be repeated annually, going forward, to guarantee continuous adherence.
SOC 2 Type 2 comprehends details of product architecture pertaining to security, plus software development and operations processes and practices. In other words, it looks at everything: from how TDP encrypts data, controls access, maintains logs and backups, and implements global secure architectural models like "the principle of least privilege" (among many other details) to how TetraScience as an organization manages the details of continually building, releasing, extending, and operating instances of TDP in the field. How we hire, train, and privilege software developers, operations people, managers, and officers. How we implement version control, scan product components for vulnerabilities, evaluate and confront security threats. How we plan and prepare to mitigate incidents, should these occur, and collaborate with customers, transparently, to help assure their own security and compliance.
The SOC way of looking at services aligns very well with how we, at TetraScience, visualize, discuss, and implement our mission, day to day, quarter over quarter. TDP is a cloud-native platform that marshalls a host of public cloud services, and its architecture (and TetraScience's operations practices and strategy, more broadly) shares responsibility with public cloud providers and our customers for controlling risk: making this safe, functional, and efficient.
Customers, meanwhile, are using TDP as far more than a "point solution." They're using our platform to create and scale an organization-wide nervous system for harmonized R&D data -- the necessary precondition for improving efficiency and accelerating discovery today, and potentially across the event horizon to enable the "Lab of the Future," tomorrow. That means we need to hold up our end of a long-term bargain to provide broad technical and organizational support for our customers' own compliance efforts, around GxP and attendant standards like 21 CFR part 11 / Annex 11.
Achieving SOC 2 Type 2 validation is therefore just part of an ongoing process. Our Compliance Team and Executive Staff have committed to aligning and certifying with a host of relevant standards, including:
- Maintaining SOC2 Type 2 alignment
- Pursuing ISO 9001 quality certification
- Assuring data privacy and GDPR compliance
- Obtaining ISO 27001 Information Security Framework certification
We're following a planned arc here, and are making relatively massive investments to see these processes through, expeditiously and sustainably. Compliance (and, more broadly, organizational discipline) isn't a "once and done" thing. As Patrick, Spin, and other TetraScience leadership continually emphasize, the only way forward is to make a long-view, dynamic, organizational commitment to quality and transparency: where product(s), cloud substrates, business, culture, and ecosystem all get continuous attention, and evolve as one, inseparably.
TetraScience recently released its GxP Whitepaper, detailing product design considerations, security principles, and quality management controls set up to support TDP users' compliance efforts. Our Compliance Team stands ready to support customer GxP validation needs with a range of artifacts, documentation, training, and engineering/operations services for Installation and Operational Qualification, providing an inspection-ready solution in the cloud.