←back to thread

Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)
233 points gmays | 5 comments | 24 Jun 25 01:54 UTC | HN request time: 1.066s | source
Show context
tptacek ◴[24 Jun 25 02:44 UTC] No.44362436[source]
This is all good, just a note for anybody reading this to the end: there's basically no way not to pass your Type 1, at least not if you're using a serious auditor. The point of a Type 1 is to document a point-in-time baseline. The Type 2 is the first "real" audit, and basically just checks whether you reliably did all the things you attested to in your Type 1.

All that is to say: you want to minimize the amount of security work you do for your Type 1, down to a small set of best practices you know you're going to comply with forever (single sign-on and protected branches are basically 90% of it). You can always add controls later. Removing them is a giant pain in the ass.

This is always my concern for people going into SOC2 cold: vendors in the space will use the Type 1 as an opportunity for you to upskill your team and get all sorts of stuff deployed. A terrible and easily avoided mistake.

I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.

replies(4): >>44362485 #>>44362521 #>>44362792 #>>44362850 #
1. colechristensen ◴[24 Jun 25 02:53 UTC] No.44362485[source]
>I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.

The signal having a Type 1 says is that you're interested in even trying to pass the next one, which in itself is a good sign to everyone. Maybe being excited and proud of "passing" type 1 is a little exaggeration for folks who know the details, but I'm very willing to forgive that. A lot of orgs show a lot more pride about much more dubious things.

replies(1): >>44362535 #
2. tptacek ◴[24 Jun 25 03:03 UTC] No.44362535[source]
I'm not saying it's a bad sign, I'm saying: you really can't fail a Type 1, unless your auditor is messing with you (a good auditor's job is to make sure you end up with a Type 1). My broken-record SOC2 point is: minimize your Type 1 controls, and add new controls over time.

You can do lots of security things. I'm not saying minimize security. I'm saying minimize the security things you talk about in your Type 1.

replies(1): >>44362706 #
3. colechristensen ◴[24 Jun 25 03:51 UTC] No.44362706[source]
I'm saying even if you can't fail, I'm still willing to congratulate an org for starting even though the first milestone isn't particularly impressive.
replies(1): >>44362750 #
4. tptacek ◴[24 Jun 25 04:01 UTC] No.44362750{3}[source]
Congratulations, Excalidraw. Also I love your product. Meanwhile, let's get back to talking about the pitfalls of actually getting SOC2.
replies(1): >>44363499 #
5. colechristensen ◴[24 Jun 25 06:53 UTC] No.44363499{4}[source]
Agreed. Certifications leave a lot to be desired but are at least better than nothing. I've been through it several times and it's a hard topic between good intentions and bad implementation.