What happens when an immovable object meets an unstoppable force? When asked this riddle in the comics, Superman answers, “They surrender.”

In the world of finance and technology, the answer involves the System and Organization Controls (SOC) frameworks upheld by the American Institute of CPAs^® (AICPA). 

Here’s what we mean: Technological innovation is an unstoppable force, changing the way we work and live, while regulation is the immovable object, ready to stop anything that opposes it. 

SOC 1 and 2 allow the two phenomena to exist together, minimizing risk and improving consistency, without hobbling innovation or progress. 

That’s why we’re so excited to announce that CSTMR has passed its SOC 2 Type 1 audit as of April 2025.

This confirms our commitment to secure data practices, privacy, and trust. As a fintech marketing agency, we’re constantly straddling the line between creative innovation and financial services’ regulations and data practices.

SOC 2 allows us to strike a balance between the two.

The vast majority of SOC 2 compliance takes place behind the scenes. We’d like to take this opportunity to highlight the importance of SOC 2 and how it impacts our work. 

What Is SOC 2?

As part of defining SOC 2, it’s worth clarifying the difference between SOC 1 and SOC 2: 

• SOC 1 is a framework that governs financial reporting practices and the controls you use to maintain accuracy in those reports. In a nutshell, a SOC 1 audit verifies that you have the correct reporting processes in place and that you follow them. 
• SOC 2 is a framework that governs data handling practices based on five “trust criteria” that ensure security, availability, processing integrity, privacy, and confidentiality. A SOC 2 audit examines the processes you have for managing data and ensures that you follow those processes.
• They both fall under the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) issued by the AICPA.

To be clear, a SOC 2 report is a document that details the findings of a certified auditor who assesses SSAE 18 compliance. 

There are actually a number of standards that partially overlap with SOC 2, including GAAP, ISO 27001, and SOX (Sarbanes-Oxley Act). They’re all designed to ensure that companies establish and follow formal processes around data and reporting. 

SOC 2 is a voluntary standard, meaning that any company can decide to become compliant with it. By comparison, SOX compliance is compulsory for publicly traded companies and is overseen by the Securities and Exchange Commission (SEC). 

The popularity of SOC 2 compliance has increased with the rise of the fintech industry.

As more and more unregulated companies partner with and serve financial institutions like banks and credit unions (that are highly regulated), the need for stricter data management standards has also grown. 

While the SOC 2 framework applies directly to service providers handling and processing personally identifiable information (PII), it’s a wise precaution for any company working in the financial services sector, including marketing agencies.

At CSTMR, SOC 2 compliance helps us ensure that we’re guarding confidential customer information and preventing unauthorized access that could harm our customers. 

SOC 2 Type 1 vs. Type 2

We already talked generally about the difference between SOC 1 and SOC 2.

Another wrinkle to note is that both standards include additional distinctions known as Type 1 and Type 2, which relate to compliance over time: 

• Type 1 compliance means that an organization passed a SOC audit at a specific moment in time.
• Type 2 compliance indicates that a company passed a SOC audit continuously over a longer period, such as six months or more.

Due to the complexity and expense of long-term audits like Type 2, a Type 1 audit and report provides a useful intermediate step that helps organizations establish the proper systems and processes without overburdening operations. 

Achieving SOC 2 Type 1 compliance has allowed CSTMR to thoroughly evaluate and improve our company processes. It’s been a powerful exercise that has involved every employee and department.

We want our clients to have complete trust in our ability to guard their confidential information throughout our partnership and beyond—now we have third-party validation of our commitment. 

A Brief History of SOC 2 

As computer-based accounting emerged in the 1970s, so did the need for standardized IT and electronic data processing (EDP).

One of the first guidelines was issued by the U.S. National Bureau of Standards (now the National Institute of Standards and Technology or NIST) in 1977.

The next major milestone was the Statement on Auditing Standards No. 70 (SAS 70) that came out in 1992. SAS 70 focused on financial reporting and failed to address broader security measures and digital privacy concerns that were already visible in the “pre-dot-com” era.

In 2011, the AICPA officially replaced SAS 70 with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This marked the introduction of the SOC 1 and SOC 2 reports, which provided enhanced requirements on financial reporting, as well as desperately needed guidance on broader IT and data practices. 

SSAE 18 was released in 2016 and became effective in 2017, with more notable improvements to the auditing standards of SSAE 16. Companies undergoing an audit would be expected to establish a third-party vendor management program. Those vendors would also become subject to auditor scrutiny. 

As the saying goes, a chain is only as strong as its weakest link. 

SSAE 18 is the current standard used to audit companies and generate SOC 1, 2, and 3* reports, with the most comprehensive guidance to date.

*SOC 3 is a simplified form of the SOC 2 report, designed for broad public consumption.

How SOC 2 Compliance Benefits Our Customers

In a digital world, making data easy to access or move also means creating vulnerabilities that malicious actors can exploit.

The financial ecosystem is deeply interconnected, and the innovations of financial technology are creating new connections at a blistering pace. That means the proverbial “chain” has more links than ever. And a weak link in the chain can cause catastrophic consequences. 

Many financial institutions require their partners to demonstrate SOC 2 compliance, whether or not the vendor handles PII.

Although we hold our entire team to a high standard of professional conduct, the purpose of SOC 2 compliance is to formalize our standards and make sure we’re honoring them every step of the way. Our SOC 2 report allows vendors and customers to perform due diligence on the processes and controls CSTMR uses to manage data securely and effectively.  

At CSTMR, SOC 2 compliance principally means that we:

• Control data access to individuals on a “need to know” basis
• Use encryption systems that protect data in transit and at rest, including financial records and other proprietary information

The full scope of SOC 2 compliance is large, but the main pillars are the Trust Services Criteria, which include security, availability, processing integrity, confidentiality, and privacy.

The goal is to mitigate the risk of data breaches, unauthorized access, and data loss.

In short, we protect customer data as if it were our own. To people outside the financial services industry, the processes and procedures may seem like overkill, but to anyone in the industry, they’re an essential defense against cyber criminals. 

The Process of Passing Our SOC 2 Type 1 Audit

SSAE 18 isn’t anyone’s idea of thrilling reading material, but it isn’t designed to keep you scrolling. Rather, it’s written to help companies methodically assess their organization and identify where their processes and procedures are inadequate or non-existent. 

Some aspects of it might seem common sense, such as risk assessment management. Other aspects of it aren’t, such as management providing a written assertion of the SOC 2 report’s accuracy. 

For CSTMR, this required us to step back and take a fresh look at our organization. We hired Prescient Security Services, an industry-recognized consulting firm, to guide us through the process. 

It was much more rigorous than we expected, but the benefits were obvious. After more than 10 years in business, it was time for us to reach a new level of organizational maturity. 

We took a fine-toothed comb through every process and procedure. We also implemented new ones to address the gaps we found.

In some cases, the team had to develop new “muscle memory” to overcome habits that weren’t wrong, but simply weren’t in line with SOC 2 compliance. 

Overall, the process took several months and a concerted effort from the entire team, alongside our regular client responsibilities.

We’re incredibly proud of the commitment and rigor that everyone brought to this project. 

Findings From CSTMR’s SOC 2 Audit 

The findings of our SOC 2 audit and report showed the strength and thoroughness of our revamped security controls. 

Notably, it covered six key areas:

1. Data integrity and security: Our data handling processes were evaluated against SOC 2 criteria for integrity, confidentiality, and availability.
   
2. Access management: The audit confirmed that CSTMR’s role-based access control (RBAC) and multi-factor authentication (MFA) are in place and effective.
   
3. Cloud security: Our use of Google Cloud for hosting services was noted to meet SOC 2’s strict standards for environmental protection, redundancy, and physical security.
   
4. Incident response: The report praised our structured incident response plan, which is regularly tested and documented.
   
5. Risk assessment and monitoring: CSTMR’s continuous monitoring for vulnerabilities and its structured risk assessment were acknowledged as proactive and robust.
   
6. Data encryption and backup: CSTMR’s encryption practices for both data in transit and at rest met or exceeded industry standards. Backup protocols were noted as comprehensive and regularly tested.  

As you can see, a major theme of SSAE 18 and SOC compliance has to do with procedural rigor and organizational accountability. The standard doesn’t dictate every detail of what compliance looks like. Companies are free to establish processes that work for their operation, as long as they meet the minimum specification.

CSTMR’s report showed that our efforts exceed the minimum and create the foundation we need for future growth (and Type 2 compliance). 

CSTMR: Certified for Success

We’re not the type of agency that seeks out accolades for their own sake. The validation of our work comes mainly through the long-term partnerships we’ve built with our clients and the results they’ve experienced achieving their business goals. 

That said, SOC 2 compliance is just one piece of industry recognition among many we’ve pursued to better support our clients.

We’re a certified Google Ad Search partner, a Gold Hubspot Solutions Provider, and one of Clutch’s top financial services agencies for PPC, web design, branding, and SEO. 

In each case, our team has worked tirelessly to offer strategic guidance and creative execution across every channel. A core tenet of our mission at CSTMR is to help brands and consumers achieve financial well-being. Recognition is just one type of feedback that lets us know we’re on the right track.

We’re committed to continuously improving our organization to be the best partner we can be to the best organizations in the fintech and financial services industries. 

There are big things on the horizon, and SOC 2 compliance is just the start.

Reach out to learn how we can help your financial brand grow.