Spectra is a third-party fulfillment provider with SOC 2 Type 2 certification. In a nutshell, that means that we maintain very high standards in keeping the private information under our care from becoming exposed, either to the public through accidental means or to malicious hacking attempts on our systems. 

Of course, there are a lot of details under that broad description, and the SOC 2 Type 2 certification specifies a number of measures that are taken by Spectra on an ongoing basis to keep secure data safe. Here’s an overview of just what SOC 2 Type 2 certification means and why you should work with a fulfillment provider that has it.

Service Organization Controls

SOC is not the name of an organization as some people assume, but rather stands for “Service Organization Controls.” SOC is a set of criteria that was developed by the American Institute of Certified Public Accountants (AICPA) to reflect what a company should be doing to protect itself and its clients in several different areas. Basically, if a company can demonstrate that it is following all of the standards listed in SOC, it is a trustworthy partner for other organizations to work with.

The Service Organization Controls are divided into two sets of standards. The SOC 1 set speaks to financial statements, highlighting good bookkeeping practices and clear, honest communication with clients about the flow of money.

The SOC 2 set, on the other hand, is focused on data security. As a fulfillment provider that handles lists of personal information for clients on a regular basis and sends thousands of pieces of mail to individual recipients, Spectra has a responsibility to maintain high data security standards. Certification of compliance with the SOC 2 standards is an important factor when a new client is considering whether to work with Spectra.

SOC 2 Types 1 and 2

Once you know what SOC 2 is all about, there’s another differentiation to consider. SOC 2 Type 1 certification is based on a single audit (more about the audit process later), which assesses whether the SOC 2 guidelines are being followed at that moment in time by the organization being audited. This audit is a relatively simple and efficient process.

SOC 2 Type 2 certification audits the same criteria as Type 1, but rather than checking compliance at a single moment, it takes place over a longer period of time–up to a year. By gathering information over this duration of time, the auditor gets much more confidence that the industry best standards for data security are being followed consistently at the organization, not just in a snapshot of time.

SOC 2 Type 2 Certification Process

Who exactly conducts a SOC 2 Type 2 certification audit? The AICPA, the organization that compiled the SOC guidelines, accredits accounting firms and authorizes their Certified Public Accountants (CPAs) to conduct SOC audits for companies that want to earn Type 1 or Type 2 certification. Spectra has been audited by an independent firm and gained SOC 2 Type 2 certification by a CPA trained in data security processes.

Data Security Practices

Spectra’s SOC 2 Type 2 certification reflects the high level of commitment to data security that Spectra has maintained throughout its 20+ years of operation. In that time, the landscapes of technology, networking, and cyber crime have evolved quite a bit, and the Spectra leadership team works hard to ensure that the organization’s practices are up to the task of protecting sensitive data at all times. These practices fall into several categories:

• Privacy and confidentiality. At the most basic level, we make sure that when information like patient addresses, account numbers, phone numbers, and medical data is shared with us, we restrict access to that information to the individuals who need it in order to carry out that specific project. Security measures like two-factor authentication, encryption, and strong username/password protection are basic yet effective ways to keep the exposure of data to the absolute minimum.
• Network security. Firewalls are kept up to date in order to defend against new computer viruses, spyware, and other hacking attempts. We have experts and procedures in place to respond immediately with current best practices if an attack of any kind were to impact our network.
• Quality assurance. Whenever humans are involved, simple mistakes are possible. Quality assurance measures help us mitigate the risk of those mistakes. We implement processes that constantly check the work that our team is doing to verify that information is not accidentally exposed to the public and that documents containing personally identifiable information are not sent to the wrong recipients.

Keeping Our Clients’ Data Safe

There are many different types of projects that we handle for our clients which require the highest data security standards. Here are a few examples for which SOC 2 Type 2 certification is a must-have when organizations are looking for a third-party fulfillment partner to help.

• Clinical trial recruitment. This correspondence is based upon patients’ diagnoses and medical history, and is strictly regulated by HIPAA standards. While the Spectra team prints personalized recruitment letters for clinical trials, data security protocols keep PII access restricted to those who need it for the project.
• Medical insurance letters. Insurance policy numbers and account history are valuable targets for criminals. When mailing these and other sensitive pieces of mail, Spectra utilizes pressure seal mailers and other envelope types that conceal private information while the documents are in transit.
• Bills and financial statements. Bills for service may include financial information for the recipients that must be protected at all stages of the fulfillment process.

Spectra’s entire operation is SOC 2 Type 2 certified, so clients can have peace of mind that their data is well defended against exposure while the Spectra team is handling it. From marketing mailers to official pieces of correspondence, we pride ourselves on giving each job the quality control and safety measures necessary to keep sensitive information from falling into the wrong hands.