An independent audit of cybersecurity here at Kinsta has provided another reason for customers to feel confident that their data is safe on our hosting platforms.

The examination of Kinsta’s security policies and practices by BARR Advisory was an essential step in confirming compliance with certain trust services criteria of System and Organization Controls for Service Organizations (or SOC 2).

Devised by the Association of International Certified Professional Accountants, SOC is a suite of reporting on system and organizational controls for a wide range of enterprises. The SOC 2 variant is a good fit for service providers like Kinsta in the PaaS space since its protocols can evaluate service criteria for security, availability, processing integrity, confidentiality, and privacy.

Kinsta focused on security in its first bid for SOC 2 compliance.

“Kinsta’s customers can draw confidence from Kinsta’s compliance with the SOC 2 standard because it provides tangible evidence that Kinsta’s information security ecosystem is designed with security at the forefront.”

— Jon Penland, Kinsta Chief Operating Officer

“SOC 2 is the most recognized cybersecurity framework for companies like Kinsta,” said Jon Penland, the company’s Chief Operating Officer. “While we felt we were operating in a secure way, we believed that a framework like SOC 2 could help us improve our security in tangible and meaningful ways.”

A Closer Look at Kinsta’s SOC 2 Compliance

In addition to focusing on the core security service criteria to launch the SOC 2 effort, Kinsta also aimed for a final report that would evaluate the company’s performance over an entire quarter — a Type II report — instead of the Type I report that is just a snapshot in time.

The company selected Vanta to provide governance, risk, and compliance software that could automate much of the evidence-gathering in real-time. Working with the auditor, BARR, Kinsta defined a suite of controls that would be monitored during compliance testing.

“Our first SOC 2 observation period was to begin April 1, 2023, and end June 30, 2023,” said Penland. “Because we had used Vanta, a lot of the information the auditor needed could be easily accessed in Vanta’s systems, dramatically reducing the time we had to spend gathering and organizing data to send to BARR.”

On August 15, BARR completed its internal and third-party reviews and delivered Kinsta’s first SOC 2 Type II report.

The report looks at 38 controls — from how Kinsta manages access to its internal systems to how code changes are reviewed and approved to ensuring team members complete security awareness training during onboarding.

The Type II report is available to customers on Kinsta’s Trust Report page.

“The Trust Report page provides our most recent SOC 2 Type II report as well as a live summary of some of the SOC 2 controls we have implemented and which are monitored automatically,” Penland said. “Not all SOC 2 controls are monitored automatically and shown on the Trust Report page, but many are.”

“Something important to us from the start was that we not treat SOC 2 like a tick-the-box activity,” Penland said. “Here at Kinsta, we are not interested in doing busy work just for the sake of doing busy work. If we’re going to do SOC 2, it’s going to have to deliver value. That attitude helped us get a lot out of the process.”

“The feedback I’ve heard repeatedly is that SOC 2 was genuinely useful in helping us formalize certain security-related activities and policies and that, as a result, Kinsta is genuinely more secure in how we operate.”

Looking Ahead: SOC 2 at Kinsta

Of the framework’s five service criteria — security, availability, processing integrity, confidentiality, and privacy — each organization adopting SOC 2 must comply with the security criteria at a minimum.

“It’s up to each organization to decide which additional service criteria, if any, they will voluntarily comply with,” Penland said. “Right now, we’re setting our sights on adding the availability and confidentiality criteria to our SOC 2 program. Our Customers can expect to see these criteria added to our next SOC 2 Type II audit report during the summer of 2024.”

A screen shot of Kinsta's Trust Report page.
Part of Kinsta’s Trust Report page, including some elements that are monitored automatically.

You can request access to Kinsta’s SOC 2 Type II report from our Trust report page.

If you are looking for secure cloud hosting, learn how Kinsta leverages the Google Cloud Platform and Cloudflare to provide firewalling, DDoS protection, and free wildcard SSL.