Overview

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how organizations manage customer data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. For Raksha Technologies, SOC 2 Type II compliance demonstrates to our customers that we maintain rigorous controls over the data and systems we handle as part of our cybersecurity advisory and procurement services.

Why Every Role Matters

SOC 2 is not just an IT concern — it's an organizational commitment. Every team member, from sales to supply chain, handles sensitive information (customer data, pricing, license keys, vendor credentials). Your daily activities contribute to our audit trail. This is why structured daily reports, KPI tracking, and documented processes are not just management tools — they are compliance requirements.

📄 Classification

All data at Raksha is classified into four levels: Public (marketing materials, website content), Internal (team communications, process docs), Confidential (customer data, pricing, contracts), and Restricted (license keys, credentials, financial records). Handle each according to its classification.

📤 Sharing & Transmission

Never share confidential or restricted data via personal email or unsecured channels. Use approved platforms only. Encrypt sensitive attachments. Verify recipient identity before sharing license keys or pricing information. Do not store customer data on personal devices.

🗑 Retention & Disposal

Retain business records per the defined schedule (typically 7 years for financial, 3 years for communications). Securely delete data when retention period expires. Never keep unnecessary copies of sensitive documents.

🔐 Authentication

Use strong, unique passwords for all systems. Enable multi-factor authentication (MFA) wherever available — especially for OEM partner portals, CRM, and email. Never share your credentials with colleagues. Report any suspected credential compromise immediately.

👥 Least Privilege

Only request access to systems and data you need for your role. If you change roles or leave a project, request access removal. Managers must conduct quarterly access reviews for their teams.

📱 Device Security

Lock your screen when stepping away. Enable device encryption. Keep operating systems and applications updated. Use company-approved VPN when working remotely. Report lost or stolen devices within 1 hour.

⚠️ What Constitutes an Incident

Any unauthorized access, data breach, lost device, suspicious email (phishing), malware detection, accidental data exposure, or policy violation is a security incident. When in doubt, report it — false alarms are better than missed incidents.

📢 Reporting Process

Step 1: Immediately notify your manager and the IT security team (within 1 hour of discovery). Step 2: Document what happened — when, what data/systems, how discovered. Step 3: Do not attempt to fix or investigate on your own. Step 4: Preserve evidence — don't delete logs, emails, or files related to the incident. Step 5: Cooperate fully with the investigation team.

💼 Sales Roles

Log all customer interactions in CRM. Document pricing discussions and approval chains. Maintain deal registration records. Record customer consent for data processing. Keep proposal versions and change history.

🔧 Technical Roles

Document all configuration changes. Maintain ticket resolution logs with timestamps. Record vendor escalation details and outcomes. Keep POC/POV environment setup and teardown records. Document any access to customer systems.

👔 Management Roles

Document team access reviews (quarterly). Record performance discussions. Maintain hiring and onboarding checklists. Keep evidence of security awareness training completion. Document approval decisions for exceptions.

📦 Operations / Supply Chain

Maintain complete GRN (Goods Receipt Note) records. Document license key generation and distribution. Keep vendor portal access logs. Maintain PO accuracy records and audit trails. Document GST/tax compliance checks.

SOC 2 Type II auditors look for evidence of consistent, documented processes over time — not just policies on paper. Your daily activity reports create an auditable trail showing that controls are operating effectively every day. KPI tracking demonstrates that performance is monitored against defined targets, which maps directly to the "Monitoring Activities" component of SOC 2. Weekly summaries provide management with oversight evidence. Together, these create the documentary proof that auditors require.