As a valued digital asset platform, we are committed to consistently surpassing industry standards and customer expectations for security controls. 

Back in July 2023, we solidified our data security measures with the successful completion of a SOC 2 Type 2 audit conducted by A-LIGN. Today, we have taken this commitment even further by achieving both the SOC 3 Type 2 audit and renewing our SOC 2 Type 2 audit for the second consecutive year with no exceptions. 

But what do these assessments entail, and why are they important for you? Read below as we dive deeper into what SOC 2 and SOC 3 compliance means for you, and how these standards enhance the security of your data on Nexo.

What Are SOC 2 and SOC 3 Reports?

SOC 2 and SOC 3 are auditing standards maintained by the American Institute of Certified Public Accountants (AICPA) to test an organization’s internal controls for security and privacy. Reports are issued by independent third parties and are based on the Trust Services Criteria (TSC) defined by AICPA. While similar in coverage and scope, SOC 2 and SOC 3 serve different purposes. 

• SOC 2: This detailed report evaluates how well a company’s controls align with the Trust Services Criteria and is typically intended for a restricted audience including management, customers, and their auditors.
• SOC 3: This is a more concise, public-facing report that provides an overview of the SOC 2 findings, making it suitable for broader distribution.

For Nexo, these assessments underscore our efforts to apply the highest standards of security, availability, processing integrity, confidentiality, and privacy in how we manage and protect your data. Rather than a quick check-up, the process involves examination over extended periods to validate our protocols and controls.

The Trust Services Criteria: What You Need to Know

The Trust Services Criteria are a set of AICPA standards used to assess the effectiveness of a company’s controls related to data management. In 2024, we expanded the scope of our audit with an additional Trust Service Criteria – Confidentiality.

The American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.

There are five key criteria:

• Security: This is the baseline critetia, mandatory for all SOC 2 reports. It focuses on protecting information against unauthorized access and breaches.
• Availability: Evaluates the system’s operational uptime and accessibility, which is critical for businesses, where continuous service is essential.
• Processing Integrity: Ensures that system processing is complete, valid, accurate, and timely. Processing integrity is key in operations where processes are automated.
• Confidentiality: Confidentiality measures are essential for managing sensitive corporate information, client data, and any other information labeled as confidential, utilizing encryption and access controls to safeguard such data.
• Privacy: Addresses the handling of personal information, ensuring it is collected, used, retained, and disclosed appropriately.

Why SOC 2 and SOC 3 Compliance Matters

• Enhanced Trust and Transparency: Achieving SOC 2 and SOC 3 compliance assures you that Nexo adheres to stringent standards for data security and privacy. This enhances trust in our services and demonstrates our commitment to maintaining robust controls.
• Detailed Assurance: SOC 2 reports provide a comprehensive assessment of our controls, including how effectively they are implemented over a specified period, which can be from three to twelve months. This depth of detail helps in understanding our operational reliability.
• Public Confidence: SOC 3 reports offer a high-level overview, making them ideal for public distribution. They provide reassurance to clients and stakeholders about our commitment to high standards without exposing sensitive details.
• Regulatory and Client Requirements: Many clients and industries require SOC 2 and SOC 3 compliance to ensure that their service providers meet rigorous security and operational standards. Our compliance helps meet these requirements and fosters strong business relationships.
• Continuous Improvement: Regular audits and compliance renewals help us identify areas for improvement, ensuring that we continuously enhance our controls and practices to meet evolving security and privacy needs.

How We Ensure Compliance

To achieve SOC 2 Type 2 compliance, we undergo rigorous audits over a defined observation window, typically ranging from three to twelve months. This process is time-consuming as it involves continuous monitoring of our controls to ensure they meet the required standards throughout the observation period.

By selecting the right Trust Services Criteria that align with our business needs and client requirements, we ensure that our SOC 2 and SOC 3 reports accurately reflect our commitment to security and data protection. This careful selection process helps us maintain the highest standards of compliance.

Conclusion

Nexo’s successful completion of the SOC 3 Type 2 audit and renewal of the SOC 2 Type 2 audit reaffirms our dedication to maintaining robust data security and privacy practices. These assessments provide you with the assurance that your data is handled with the utmost care and integrity.