We wrote the book on Distributed SQL at scale. Literally.FREE O'REILLY BOOK
Back in April 2021, Cockroach Labs completed our first SOC 2 Type II audit. Now, thanks to collaboration between multiple teams led by the Compliance team, we have completed our second.
As CockroachDB continues to evolve and add new products and features, we need to ensure that those new products and features meet various sets of security and compliance standards. This latest SOC 2 Type II audit covers a full 12 month review period for both of CockroachDB’s managed services offerings, CockroachDB Dedicated and CockroachDB Serverless. But before we get more in-depth on this new addition, let’s quickly recap what a SOC 2 Type II audit covers and why it’s important.
A SOC 2 audit is an assessment of an organization’s controls, covering the security, availability, confidentiality, privacy, and process integrity for a system or service. These controls stem from sets of criteria called Service Organization Controls (SOC) established by the American Institute of Certified Public Accountants (AICPA). The audit reports what the service offering/system does, controls and procedures related to the SOC criteria, and the results of the testing of the controls. SOC2 is the best-known InfoSec certification, since it reviews and confirms the claims a company makes about their security processes.
This is indeed our second SOC 2 Type II report — SOC 2 Type II v2 2022 (that’s a lot of 2s) — but it is actually an expansion of the first one.
First, this report covers a full 12 months while our previous SOC 2 audit covered only a six month period. This doesn’t mean our previous SOC 2 audit is any less credible than our new SOC 2 audit! Covering 12 months provides more assurance that Cockroach Labs’ controls are operating efficiently and effectively. The longer the audit review period, the more scrutiny a company is under to ensure that their security and compliance controls and processes are operating as claimed. A longer review period also gives assurance to our customers that our controls have been operating effectively for an extended period of time, demonstrating our commitment to maintaining the internal controls required to provide a secure and stable platform.
Second, this new audit also covers CockroachDB Serverless. This free DBaaS version of CockroachDB gives users instant access to a horizontally scalable relational database that they can spin up in seconds, about hardware details or capacity planning. With regards to SOC 2 assessments, customer requirements are outlined in our Complementary User Entity Controls section of our SOC 2 report. Cockroach Labs handles everything else.
Although CockroachDB Serverless is an easy-to-use product for customers, its architecture is quite different from that of CockroachDB Dedicated. Adding CockroachDB Serverless to our SOC 2 audit was deemed a significant change. Since significant numbers of multitenant CockroachDB Serverless clusters are deployed and operated on an underlying physical CockroachDB database cluster, one would expect auditing and assessing the CockroachDB Serverless product to be vastly different from auditing the CockroachDB Dedicated product. It turned out to be quite the seamless SOC 2 audit, though!
Cockroach Labs’ control set is flexible, meaning that the security and compliance controls designed and implemented can be applied to both a single-tenant AND multi-tenant architecture — which includes CockroachDB Serverless. For example, when it comes to the control of the retention period of production backups, we first ensure that the retention period, at a minimum, meets industry standards. Then we implement it for all in-scope products involved, making sure they all meet the same security and compliance requirements.
Simply put, when we design and implement new controls we take account of our roadmap of products and features to ensure that we meet industry standards and requirements as part of the development process. Ultimately, we only had to introduce two new controls to our overall control set to ensure CockroachDB Serverless meets the SOC 2 standards and criteria.
So when you’re deciding whether to start on/move to CockroachDB Dedicated or CockroachDB Serverless, you can rest assured your security and compliance needs can be equally met by either since they share the same standards. While not new, Cockroach Labs has a Trust Center page that provides current and prospective customers with details about the availability, security, and compliance of our products and services. For detailed SOC 2 information and to view the report, customers are invited to contact their Cockroach Labs representative.