Building Security & Compliance Capability at Turing Tech

Our experience gaining security and compliance execution capability via SOC2 certification for our clients.

At Turing Technologies, we are committed to helping our clients achieve the highest security and compliance standards, including SOC 2, ISO 27001, GDPR, and FEDRAMP. To better serve our customers and strengthen our own security posture, we have embarked on an internal journey to build the necessary expertise and capabilities.

Strengthening Our Security Foundations

In March 2024, Turing Tech welcomed a new team member at a pivotal moment—one of our initiatives required SOC 2 certification. As we scaled, new security requirements emerged from our enterprise clients, presenting both challenges and opportunities. Before executing our SOC 2 compliance strategy, we needed to educate our team, build security capabilities, and introduce best practices to embed security at our core.

From the outset, our team prioritized best development practices, but we had not yet fully aligned our platform with globally recognized security frameworks. This challenge presented a unique opportunity—not only to implement industry-leading security measures but also to foster a security-first culture within our organization.

To stay ahead in an increasingly security-conscious industry, we recognized the importance of continuously building our security and compliance competence across the company.

Key Initiatives to Build Security & Compliance Expertise

To achieve our goals, we are actively working on the following initiatives:

  • Security Awareness Training: We have introduced company-wide security training to ensure that every team member, from engineers to leadership, understands security risks and best practices.
  • Building Internal Expertise: We encourage team members to pursue industry-recognized certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) to establish a deep, in-house knowledge base.
  • Collaboration with Experts: We are partnering with leading compliance consultants and security specialists to guide us through SOC 2 and other regulatory requirements, ensuring we stay on track.
  • Ongoing Internal Audits: To ensure continuous improvement, we conduct regular vulnerability assessments, penetration testing, and compliance audits to identify and mitigate potential security risks.
  • Cloud Security Enhancements: As a cloud-based platform, we leverage AWS security tools, such as AWS CloudWatch, AWS GuardDuty, and AWS Inspector, to monitor and safeguard our infrastructure.

With a clear roadmap in place, we are working diligently to achieve SOC 2 compliance, reinforcing trust with our clients while scaling securely.

SOC 2 Type 1 vs. Type 2 Certification

Understanding the difference between SOC 2 Type 1 and SOC 2 Type 2 is essential:

Criteria SOC 2 Type 1 SOC 2 Type 2
Audit Focus Evaluates the design of security controls at a specific point in time. Evaluates the design and effectiveness of security controls over a defined period, typically 3-12 months.
Timeframe Performed at a single point in time (snapshot). Performed over a period (typically 3 to 12 months) to evaluate operational effectiveness.
Scope Focused on confirming controls are in place as of the audit date. Assesses whether controls are in place and functioning effectively throughout the reporting period.
Depth Shallow – evaluates control design but does not assess operational effectiveness. Deeper – evaluates both the design and operational effectiveness of controls.
Use Case Good for organizations just starting out with security controls or demonstrating basic compliance. Ideal for organizations with mature security controls looking to demonstrate sustained security practices over time.
Certainty Provides limited assurance on the implementation of controls. Provides greater assurance on the reliability of security practices over a longer period.

We are currently progressing toward SOC 2 Type 1 certification, with a roadmap to achieve SOC 2 Type 2 in the near future.

Learning from Industry Leaders

To refine our security policies and best practices, our team analyzed trust center documentation from leading SaaS companies, including Notion, Asana, Merge.dev, and HubSpot. These resources provided valuable insights into access control, encryption, incident response, and compliance frameworks such as SOC 2 and ISO 27001.

To ensure quick and easy reference, we have organized trust center documents in a centralized repository, allowing our team to continuously learn and improve.

Trust Center Documents Organized in our Drive for Quick Reference

reference

We found HubSpot's Security & Compliance Overview to be very extensive and helped our team understand Controls and Infrastructure Security at enterprise scale.

Enhancing Security with Multi-Factor Authentication (MFA)

To strengthen authentication security, we have introduced YubiKeys for employees accessing critical systems. YubiKeys provide hardware-based MFA, reducing the risk of phishing attacks and unauthorized access. This extra layer of security ensures our team adheres to the highest authentication standards.

What’s Next?

Achieving SOC 2 compliance is just the beginning. Looking ahead, we are actively working on:

  • Pursuing ISO 27001 certification to further enhance our security framework.
  • Expanding our security training programs and continuous compliance monitoring.
  • Ensuring compliance with GDPR and FEDRAMP to meet the needs of our global clients.

We are incredibly grateful for the opportunity to build a world-class security program and help our clients meet their compliance goals. For organizations looking for a fresh start with a company that values security and innovation, Turing Technologies is the right place.

By embedding security into every aspect of our operations, we are not only meeting industry standards but setting a new benchmark for secure, scalable, and trustworthy technology solutions.

Engineering @ TuringTech