We Completed Our SOC 2 Type I Examination
3 min read
“Security is not a document you produce. It is a property of the system you build.”
I lead engineering at Dynamic Needs Analysis, and a large part of that job is making sure the systems we build can be trusted with the data they hold. Today that work reached a real checkpoint: we completed our SOC 2® Type I examination.
What SOC 2 Type I actually is
A SOC 2 examination measures a service provider’s controls against the AICPA’s Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
A Type I examination looks at whether those controls are designed appropriately at a single point in time. A Type II examination, which we have already started, looks at how they hold up in operation over an extended period. We are sharing the Type I result now because it is a real, independent checkpoint, and I would rather show the work at each stage than go quiet until everything is finished.
Why this mattered to me as an engineer
The value of SOC 2 is not the report at the end. It is the discipline it forces on the way there. Any engineering team moves fast in places. The examination is an outside party verifying that where it counts, the controls are real and written down, not assumed: how the system is actually secured, who can reach what, how access is reviewed, how changes are tracked.
For a platform built around sensitive financial information, that is exactly the bar I want us held to. It is easy to say a system is secure. It is much harder, and much more useful, to have someone independent test that claim against a recognized standard.
What it means for the people who trust us with their data
DNA is built around sensitive client information. The advisors who use it, and the clients behind them, should not have to take our word that it is handled carefully. A SOC 2 examination puts an independent auditor between our claims and your trust. When a firm’s security team asks how we protect their data, the answer is now backed by a third-party attestation, not a marketing page.
How we got here, and what comes next
We worked with Advantage Partners, who conducted the examination, and Vanta, whose platform lets us monitor our controls continuously rather than only at audit time.
Security is not a document you file once. It is a property of the system, and it has to hold every day. We are continuing that monitoring, and we are working toward our SOC 2 Type II examination.
You can review our security posture any time at our trust center.
See DNA in action
Start building rigorous, client-ready insurance needs analyses, faster.