The Security Conversation That Started It All
The decision to pursue SOC2 didn’t come from a compliance checklist. It came from conversations with clients.
Mainly one client. We were working with a client whose marketing team manages very sensitive data. Their IT security team asked a straightforward question during our onboarding process: “What certifications do you have in place to protect this data?”
We had strong security practices, careful protocols, and a team that took data protection seriously. But we didn’t have formal third-party validation of those practices.
For them, that wasn’t enough. They needed documentation that our security measures met independent standards. We knew if we were serious about being a long-term strategic partner, we needed to hold ourselves to these more rigorous standards.
Why SOC2 Matters
Some industries, such as higher education and medical institutions, operate in an environment of heightened scrutiny regarding data security, and for good reason.
Institutions handle some of the most sensitive personal information imaginable: student records protected under FERPA, health information covered by HIPAA, financial data subject to PCI DSS, GDPR (EU personal data) compliance, and increasingly, recruitment and engagement data that families expect to be protected.
When our partners trust us as their digital agency, they’re not just hiring someone to redesign their website. They’re granting access to their systems. Independent validation of our security practices was an important step in becoming better partners.
What We Actually Had to Do for SOC2
Let’s be honest: pursuing SOC2 Type II certification is not a small lift.
It required us to:
Document everything. Every security policy, every access protocol, every data handling procedure. Things we’d been doing consistently for years had to be written down, formalized, and structured in ways that could be independently audited.
Implement systematic controls. Some practices that had been “understood” needed to become enforced controls: multi-factor authentication requirements, formal access reviews, incident response procedures, and vendor risk assessments.
Undergo continuous monitoring. SOC2 Type II isn’t a one-time audit. It requires demonstrating that your controls operated effectively over a sustained period (we went with a three-month observation period). That meant proving consistency, not just capability.
Submit to an independent audit. A third-party auditor examined everything—our policies, our systems, our logs, our employee practices. They tested our controls, reviewed our documentation, and verified that what we said we were doing was actually happening.
It was a lot of work.
What We Learned Along the Way
Going through SOC2 compliance forced us to examine assumptions we’d held for years.
Documentation creates clarity. When security protocols live primarily in people’s heads, there is room for interpretation and drift. Writing everything down didn’t just satisfy auditors; it gave our entire team a shared understanding of expectations and procedures.
Formalization doesn’t have to mean bureaucracy. In practice, most SOC2 controls aligned with how we were already working. The formalization just added verification and accountability.
Clients notice. Even before we completed certification, the process of pursuing it changed conversations. When prospective clients asked about security practices, we could walk them through specific controls, audit procedures, and third-party validation timelines. It signaled that we took their concerns seriously.
The Security Safeguards We're Proud Of
SOC2 compliance isn’t about any single security measure—it’s about demonstrating a comprehensive system of controls across five “trust service criteria”: security, availability, processing integrity, confidentiality, and privacy.
Here’s what that actually looks like in practice for iFactory:
Access controls that actually control access. Every team member has the minimum access necessary for their role. We review permissions quarterly. When someone’s responsibilities change, their access changes. When someone leaves the company, their access is revoked immediately.
Data encryption everywhere it matters. Data in transit is encrypted. Data at rest is encrypted. Client files are stored in access-controlled environments with audit logging, so we can see exactly who accessed what and when.
Systematic monitoring and response. We’re actively monitoring for anomalies, logging activities, and maintaining formal incident response procedures.
Vendor risk management. The tools we use (hosting providers, collaboration platforms, development environments) are themselves vetted for security. We don’t outsource risk; we manage it.
Regular testing and review. Security controls aren’t “set it and forget it.” We conduct regular vulnerability assessments, penetration testing, and control reviews to ensure everything continues to work as intended.
None of these safeguards are revolutionary. But having them validated by an independent auditor, and committing to maintain them under ongoing scrutiny, makes them trustworthy in a way that self-certification never could.
What SOC2 Means for Our Clients
Here’s the practical reality: SOC2 compliance will never be the reason a client chooses to work with iFactory.
Clients hire us because we understand the strategic challenges of higher education and healthcare, because we’ve solved complex content and governance problems before, and because our team has the specialized expertise their projects require.
But SOC2 certification removes a barrier that could have prevented great partnerships from happening.
Our SOC2 certification should create less work, not more:
- Fewer security questionnaires to complete. Instead of custom vetting processes, you can review our SOC2 report, which answers the vast majority of security questions in a standardized format.
- Clearer assurance for stakeholders. When your IT team, legal counsel, or leadership asks about vendor risk, you can provide independent third-party validation rather than vouching for us based on promises.
- Reduced institutional liability. Working with a SOC2-compliant vendor demonstrates due diligence in vendor selection.
Does SOC2 compliance mean we have more formalized processes internally? Yes, it means the security practices protecting your data are systematic, tested, and validated by someone other than us.
Why We're Glad We Did This
With certification complete, we can see what we actually gained:
We’re better partners. The rigor of compliance made us examine every aspect of how we handle client data and access. We’re more careful, more systematic, and more accountable than we were before.
We’re ready for what’s coming. Data security requirements in higher education and healthcare are only going to increase. Institutions are facing more regulatory scrutiny, more cyber threats, and more family expectations around data protection. Being SOC2 compliant now positions us to meet those rising standards.
We can focus on the work. In the past, every new client relationship included some version of the security vetting conversation. Now, we can hand over our SOC2 report and move on to the strategic work we’re actually here to do—helping institutions solve complex content, governance, and user experience challenges.
It reflects our values. iFactory has always approached client relationships as long-term partnerships built on trust. SOC2 compliance isn’t just about passing an audit—it’s about demonstrating that we hold ourselves to the same standards of accountability and transparency we expect from the institutions we work with.
The process was harder than we expected. The investment was significant. And we’d do it again in a heartbeat.
Because if we’re going to ask higher education institutions to trust us with their most important digital projects—and the sensitive data those projects involve—we owe them more than promises.
We owe them proof.
Does your institution require SOC2 compliance from digital vendors? Have questions about what our certification means for your project? We’re happy to walk you through our audit report and security practices, just reach out.
