←back to thread

Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)
233 points gmays | 1 comments | 24 Jun 25 01:54 UTC | HN request time: 0.202s | source
Show context
tptacek ◴[24 Jun 25 02:44 UTC] No.44362436[source]
This is all good, just a note for anybody reading this to the end: there's basically no way not to pass your Type 1, at least not if you're using a serious auditor. The point of a Type 1 is to document a point-in-time baseline. The Type 2 is the first "real" audit, and basically just checks whether you reliably did all the things you attested to in your Type 1.

All that is to say: you want to minimize the amount of security work you do for your Type 1, down to a small set of best practices you know you're going to comply with forever (single sign-on and protected branches are basically 90% of it). You can always add controls later. Removing them is a giant pain in the ass.

This is always my concern for people going into SOC2 cold: vendors in the space will use the Type 1 as an opportunity for you to upskill your team and get all sorts of stuff deployed. A terrible and easily avoided mistake.

I write this only because the piece ends with Excalidraw psyched to have cleared their Type 1. I hope their auditors told them they were always going to clear that bar.

replies(4): >>44362485 #>>44362521 #>>44362792 #>>44362850 #
RainyDayTmrw ◴[24 Jun 25 04:10 UTC] No.44362792[source]
Am I reading correctly between the lines? That sounds like you're suggesting that vendors in this space will actively work against your interests, and scope creep type 1, to get more business for type 2?
replies(3): >>44362920 #>>44364589 #>>44364916 #
1. michaelt ◴[24 Jun 25 10:19 UTC] No.44364589[source]
Or the vendors you’re paying to help you adopt a bunch of corporate paperwork are helping you adopt a bunch of corporate paperwork. Kinda their job, no?

If I hire a fire safety consultant, I gotta expect he’s going to recommend sprinklers and extinguishers and fire doors.