Customer service has long been a slow-moving piece of the broader business landscape, and it’s not hard to see why: business owners are + Read More
You want to provide the best and most accessible service to your customers, so you offer live chat support to provide quick, accurate and personalized answers to their questions.
But even in a world of instant satisfaction, it’s important to take a moment and make sure that your live chat software provider has taken the necessary measurements to keep your customers’ sensitive information safe. Some industries like banking and healthcare have especially strict rules, but every organization is liable should a preventable leak occur.
There are many certifications, both voluntary and mandatory, that live chat software providers have to offer. A voluntary compliance that many organizations should have is SOC 2 Type II. With a SOC 2 Type II certified live chat software, you can sleep well at night knowing that your customer’s data is secure.
What is SOC 2 Type II compliant live chat software?
The American Institute of Certified Public Accountants (AICPA) established the SOC 2 protocol in 2010. They define it as a “report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.”
In other words, to be SOC 2 certified, live chat software providers need to undergo a professional annual audit of their documentation and control framework – including cybersecurity policies, technical tools, and how they control access to their resources (among other, how they control access to your customers’ sensitive information).
In this context, a service organization isn’t only a company that provides traditional services, like legal or accounting. A SaaS company is considered a service organization too. It just provides software as a service (SaaS). Most companies use live chat software in this SaaS model, meaning their live chat software providers are eligible for SOC 2 certification.
SOC 2 Type I vs. SOC 2 Type II: What’s the difference for your live chat software?
Like other service organizations, live chat software providers can be certified under two SOC 2 protocols. Each requires a different type of audit and, results in a different type of report.
SOC 2 Type I Means Your Live Chat Software Provider Did a Good Job at the Specific Time of Auditing.
A SOC 2 Type I audit looks at how your live chat software provider handles cybersecurity at one specific point in time.
However, there is no assurance it handles it well over time. It might be doing great, and it might have had it employees working overtime in the last minute to pass the audit.
SOC 2 Type II Means Your Live Chat Software Provider Has Been Continuously, Efficiently Cybersecure for a Long Period
If your live chat software provider has a SOC 2 Type II certificate, it means it has been audited and certified for strong cybersecurity for at least six consecutive months.
Generally, the entire process for Type II, including preparation, can take a year, versus only 3 months for Type I. Type II is a much deeper, more thorough auditing procedure. It signifies the provider has put some processes in place to be able to deliver high-quality cybersecurity over a long period of time. Not only that, but the audit ensures the implemented policies, processes and technologies have been proven effective over time.
Why your company needs SOC 2 Type II compliant live chat
Not every company needs its live chat to be SOC 2 Type II compliant. But a lot do.
If your live chat reps don’t handle sensitive information – for example, if you only answer general product questions, provide opening hour information, or give non-personalized advice – you might not need to worry about it.
But if you’re looking for live chat software for a bank, a healthcare organization or an eCommerce company whose live chat reps answer questions about specific customers’ accounts, SOC 2 Type II becomes critical.
In fact, anyone who handles passwords, credit card information or other sensitive data needs to care about the security of the information their customers entrust with them and their software providers. That’s true even if your company specializes in developing gaming apps.
SOC 2 Type II doesn’t guarantee there will no breaches, but it does mean your live chat service provider has gone above and beyond to secure you and your customers. It’s a strong vote of confidence in the provider’s ability to protect your sensitive data, and it means the provider takes your privacy and security more seriously.
Here’s why you may need SOC 2 Type II:
Many providers take partial steps to keep your data safe. For example, many providers are PCI DSS compliant, which means they erase credit card numbers from live chat transcripts and data.
But PCI DSS is only invoked when someone is trying to pay. If a customer authenticates personal information via chat and you tell her how much money she has in her savings account right now, the data persists in the chat transcripts and can be stolen.
SOC 2 Type II audits ensure the data is as safe as it can be. It ensures that it’s extremely hard to access sensitive data illicitly.
Many live chat software providers integrate with their customers’ accounts through single sign on – an authentication system that lets a user log in with a single ID and password. Hackers that break into your live chat system can override prebuilt API pathways and open the door to your system. For industries like banking and healthcare, this is especially critical.
SOC 2 Type II audits check and validate what your provider is doing to prevent such breaches. If your provider has passed the audit and received certification, it’s as safe as it can be.
A software provider with SOC 2 Type II certification usually has systems to monitor your live chat operations on a regular basis, so it can detect when things look off. For example, if you usually get 100 chats a day, and suddenly that skyrockets to 10,000 a day, your provider’s system will alert it.
The provider’s IT team can then explore what happened and diagnose the problem quickly. They will check to see if you know why it may have happened (maybe you’ve got a campaign going on or you’re doing some testing) – or whether it’s a cyberattack that needs to be stopped. It can then take the proper measures to repel the attack and move much toward taking action to minimize the damage.
Similarly, certified providers can provide actionable forensics to help prevent or repel future similar attacks. They’re able to know when an attack happened and why, how much data was compromised, and how to fix it for the future to prevent it from happening again.
So why don’t all live chat software providers offer SOC 2 Type II compliance?
In two words, it’s hard.
First, there’s a rigorous auditing process, which requires a ton of work from your team, including in-depth reviews and continuous requests for more and more information, and more and more meetings. Here at Comm100, the entire process takes many months.
It’s also expensive, with the direct audit costs only the beginning. Making sure your data centers are robust enough, hosting your servers at centers that also went through this certification, and making sure your IT experts are available 24/7 – these are just some of the bigger ongoing expenses.
Wait, Aren’t All Contact Center Software Providers Obligated to Offer SOC 2 Type II Compliant Live Chat?
The surprising answer is no.
SOC 2 Type II compliance is totally voluntary. Live chat software providers have other obligatory regulations to meet, especially if they partner with highly regulated industries (like HIPAA for healthcare organization) – like we do here at Comm100. Each compliance procedure is expensive and time consuming.
For some companies, it might not be a priority to go through voluntary compliance processes on top of that, or they might not have the resources. But you can’t afford to compromise on your company and customers’ most sensitive data.
How can I be sure my live chat provider has ticked every box for SOC 2 Type II compliant live chat?
No live chat software provider will share its SOC 2 Type II certification report publicly, because it’s unsafe. The report goes into detail about everything the provider does to keep your sensitive information safe, and no one wants this information reaching hackers’ hands.
However, providers will usually share these reports in private with verified prospective partners and clients. To request Comm100’s report, please contact us here.
Together, we can create a world of better service that customers can actually trust.
Chat with your website visitors in real time, convert more visitors into customers and improve your customer satisfaction. All for free, forever!Sign Up Free