Excalidraw+ Is Now SOC 2 Certified
Excalidraw
All posts

Excalidraw+ is SOC 2 compliant

TL;DR: Our SOC 2 Journey

We got tired of endless security questionnaires, so we got SOC 2 certified to make things smoother for everyone.

The process:

  • Used Vanta to connect our services and fix compliance gaps
  • Wrote a ton of policies
  • Implemented zero-trust production access
  • Upgraded our tech stack (Nx, Infisical, monitoring, VPN, etc.)
  • Did penetration testing
  • Evaluated all vendors

Result: Passed SOC 2 Type I 🎉

In progress: Type II

Next: maybe GDPR, maybe ISO 27001 (depends on demand)

Most of the security stuff we were already doing, SOC 2 just forced us to write it down officially.

Why SOC 2

At some point, every company reaches the phase where "we promise we're doing things securely" just doesn't cut it anymore. We were getting tired of filling out endless security questionnaires, the kind of stuff that can easily live in a proper trust center.

It's one thing to say, "We use MFA, we encrypt stuff, we care about your data," but it hits different when a third party auditor confirms we're actually doing it by the book.

And since our team is still fairly small, we figured it was the right time to get our practices locked in early.

If you're wondering how SOC 2 works or planning to get certified yourself, this post aims to shed some light.

What is SOC 2?

SOC 2 is a security and compliance framework created by the AICPA. It defines how companies should handle customer data using five criteria: security, availability, processing integrity, confidentiality, and privacy.

There are other frameworks, such as ISO 27001, and in the long run, it pays out to get that one too, depending on what your customer base is, but starting with SOC 2 is never a bad idea. It's widely recognized by US companies, less complex than ISO 27001, and builds a solid security foundation to build upon.

There are two flavors of SOC 2:

  • SOC 2 Type I checks that your systems and policies exist at a point in time. Basically, whether you have the right setup.
  • SOC 2 Type II looks at whether those policies work over time. Think of it as, "cool, but do you really follow through?"

We've completed SOC 2 Type I (🎉) and we're already working on Type II.

The Journey

Excalidraw+ SOC 2 journey

Before you start the certification audit itself, you need to make sure you're in compliance to begin with. If you're young and brave, you can read up on the criteria requirements directly from AICPA without using any third-party services to help get going, but such a document doesn't hold your hand or tell you what you need to do. We do not recommend it.

Instead, we looked for services that can get you set up and going easily (well, easier). They help you centralize compliance docs, security workflows, audits, risk monitoring, and all the other things you definitely don't want to be keeping up to date with instead of shipping your product. We narrowed the list down to Drata and Vanta, and in the end, went with Vanta as most of the services and providers we use already had an integration there.

Once you plug all your services in (for us, this meant Vercel, GCP, DigitalOcean, GitHub, among others), Vanta runs a check to see what needs fixing.

Anything without an existing integration, you need to track manually. Sometimes you need to supply evidence in the form of screenshots, so keep your "receipts" at hand! You can do this in Google Drive or elsewhere, but we built this stuff into our internal admin dashboard. It takes a little bit of work upfront, but it pays off long-term and keeps everything nice and organized.

Vanta also helps you introduce secure workstation policies, such as requiring disk encryption, screen locks, and the use of password managers across your entire team. Not exactly groundbreaking stuff, but useful and necessary, and trying to roll that out on our own would have been a nightmare.

The upside for us was that we got a bird’s eye view of our team: who has access to what, whether MFA was enabled, and so on.

Doing all that was a bit overwhelming at first, but once we got the hang of it, it was surprisingly manageable.

The toughest (or let's say, the most annoying) part by far was the policies. You need a ton of them: "Code of Conduct," "Human Resource Security Policy," "Access Control Policy," "Operational Security Policy," and more. Vanta provided some boilerplate templates to get us started, but we still had to tailor them for our company, especially since we're remote-first. Finding the balance between keeping our startup vibes and introducing more rigid and structured processes was key.

Actually implementing those policies was easier for us, as we had already been doing most of these things without them being written down, but there were still some processes that needed updating or technical changes that needed implementing. This can be time-consuming, especially when you're also actively developing a product concurrently. The key is to carve out some dedicated time for this, taking on tasks one by one, and aim for a gradual roll-out.

Even though paperwork isn't exactly our favorite thing, some of it actually made a lot of sense. It forced us to properly write down how we handle incidents like outages and similar, instead of it existing in bits and pieces or locked in the minds of specific team members. And for our customers, it offers a peek into how we operate behind the scenes.

Since we're a remote team, we implemented a zero-trust production access model with strict role-based controls. Production access is limited to essential personnel (currently the technical co-founders) and operates through our automated deployment pipeline for all routine operations. This approach minimizes the attack surface while ensuring our support team can handle customer requests through our purpose-built internal admin dashboard, which provides controlled access to necessary functions without direct production exposure.

It also helps us automate SOC 2 tasks like tracking and managing resource access, conducting regular access reviews, and keeping a paper trail for compliance reasons highlighted above. And yes, we log who touches what.

Of course, no compliance journey would be complete without a few moments that feel like they come straight from a company training video. Well, watching those was quite literally part of it (No, Sheila, passwords go into the password manager, not on your monitor's sticky note), but we now also run regular staff training sessions. Our new member onboarding calls have also become more structured.

Technical Work

SOC 2 Technical architecture overview

We went a bit crazy here. We started by splitting our monolith into more services and kept adding new apps into our codebase as we grew. To manage it all, we chose Nx⁠ as our build/monorepo framework. Migrating to Nx helps us standardize how our dev team runs development, builds, shipping, and tests within our GitHub CI/CD pipeline. Nx gives us custom executors that we use to handle environment variables, accommodate differences between frameworks like classic SPA and Next.js, and others. The speedup due to caching was a nice bonus (you can do this locally, or in the cloud for added benefits).

For managing environment keys, we picked Infisical⁠, which is end-to-end encrypted, self-deployable, and basically ticks all our boxes. This setup lets developers access only development keys and nothing more, same for CI. No more committing environment variables into the codebase or injecting them manually into CI. Try it once, and you'll never want to go back. The secrets management tool also lets us run everything in CI smoothly, such as testing for missing or leaking environment keys. One of the tougher challenges was making CI work smoothly alongside the VPN and firewalls we have in place.

And our custom firewall and VPN setup finally pushed us to upgrade to GitHub Enterprise to get dedicated IPs for our runners.

We also set up monitoring for our services and made a public status page⁠. For logging, we use Vector⁠ and Axiom⁠.

As we wrapped things up, we needed to verify that everything was as secure as we planned. So, we conducted penetration testing across the entire Excalidraw+ platform. It found some minor issues, like exposed headers, which we fixed right away. Running penetration tests at least once a year to make sure everything is squared up is a must.

Vendors & Risk Management

Turns out, your vendors need to have their act together, too. Every service that touches customer data needs to be evaluated and documented.

The good news? Most of the big players we rely on (Vercel, Google Cloud, GitHub) already have their SOC 2 reports ready to go.

We use a combination of Vanta (which handles most of the common vendors) and our internal admin dashboard for the ones Vanta doesn't cover, because managing this in spreadsheets gets old fast. For each vendor, we document what data they access, their certifications, key risks, and how we mitigate them.

Pro tip: Start this early. Some vendors take weeks to respond, and you might need time to find alternatives.

Going One Step Further

We don't care for tracking our customers, but we do need to know the essentials. How many users do we have, what features are actually used, things like that.

For Excalidraw, we use a self-hosted version of Umami⁠. For public-facing stuff like our open-source editor and landing pages, we use Simple Analytics⁠.

Both do the job without invading your privacy. So if you're wondering why you don't see a cookie banner (Umami⁠ FAQ, Simple Analytics⁠ ) on our site, that's why.

The Audit

When it comes to the audit itself, you can either pick from the auditors your provider (e.g., Vanta) works with or find your own. We chose Insight Assurance⁠. What we learned, though, is that we should have contacted them way earlier in the process, as they could have helped us with some of the policies and risk definitions we were overthinking, which would have saved us a lot of time. But hey, lesson learned.

As for the good ending, we passed SOC 2 Type 1. While Type 2 is next on the list and it's what everyone should aim for, Type 1 is a good stepping stone along the way, as it already demonstrates to your customers you're serious and that you're not running your business from the back of a tool shed.

If you want to go through the paperwork with a good wine in the evening, you can find it all in our trust center, below.

Security page & trust center

What's Next

soc2 certification roadmap

  • SOC 2 Type 2
  • GDPR (unless the EU repeals it first)
  • ISO 27001 (if enough customers ask)