Document Scanning Security & SOC 2 Reporting
Worrying about the security of your documents can keep you up at night. But when you work with a document scanning company that has received its SOC 2 Type 2 Report, or is in the process of an audit, you won’t need to count sheep.
A SOC 2 Type 2 Report indicates that a document scanning provider has passed an extensive third-party audit that proves procedures are documented and adhered to across systems and processes in one or more of five control principles: security, confidentiality, availability, process integrity and privacy. The report is the best way to ensure you have done due diligence regarding how your documents and information will be securely and safely handled while in a document scanning provider’s possession.
No Need to Count Sheep
One of the many process controls tested in a SOC 2 audit of a document scanning company pertain to the physical security of the facility. Below is a description of some of those controls Reading this list, instead of counting sheep, might help you sleep better knowing your documents are being scanned in a secure facility.
- Facility Access: entrance to the scanning facility is restricted to only those with a key, an alarm code and electronic key card access
- Physical Access Monitoring: motion sensitive cameras are monitoring the facility including outside access areas, hallways, workspaces and computer rooms 24/7/365 and DVR recorded images are stored on a secure server for 3 months
- Key Card Access & Tracking: every employee’s movement within the facility is controlled and monitored via key cards programmed to provide access to only the areas necessary based on the employee’s job responsibilities
- Key Card Monitoring: uniquely numbered key cards are provided to employees based on their responsibilities and physically checked by administrators on an ongoing basis to ensure that each employee has the appropriate access card
- Door Boxes: visitors requesting entry to the facility must press a button on a door box by the entrance and communicate with the administrate staff to verify identity and determine if the person should be allowed to enter
- Physical Alarm Monitoring: smoke detectors, sprinklers, fire alarms and fire extinguishers are in place, monitored and serviced
- Visitor Logs: all visitors and vendors entering the facility’s secure areas, including the data center are required to sign a visitor logbook
- Visitor NDA: non-disclosure agreements are signed by every visitor or vendor that requires entry into secure areas
- Photo Prohibition: photography is banned anywhere in the facility
- Mobile Phone Prohibition: cell phones are banned on the production floor
- Tracking System: all boxes containing documents for scanning are entered upon receipt into a tracking system so their location can be identified at any time
- Box Identification: each box is identified upon receipt with a unique identifier including job name, batch number and box number
Seeing Is Believing
We recommend you request to see the company’s SOC 2 Report detailing the controls and protocols that are in place and have been audited within the last year. This will give you confidence that your documents are being handled and processed with the utmost attention to the principals covered by a SOC 2 Type 2 audit and will also help your entire C-suite and compliance officers sleep soundly at night. You should also visit the facility to see first-hand their practices in action.