Skip over navigation

Contact us to learn more about OroCommerce's capabilities

Contact us

Product News & Updates

OroCommerce Security: Announcing SOC 2 Certification

February 18, 2020 | Oro Team

Every customer’s data is important to us. We know the data you entrust us with is sensitive, so we want you to know it’s in safe hands.

Aside from PCI compliance for eCommerce sites, SOC certification is the second most important security requirement for online service providers. 

That’s why we are happy to announce that Oro’s SOC 2 certification has been finalized and is available upon request.

Oro has fulfilled Security and Availability requirements for Trust Service Criteria (TSC) as part of its SOC 2 certification. Note that many B2B SaaS vendors only focus on one area of systems and procedures in their organization (Security), since meeting additional criteria is optional. 

For Oro, the Availability criteria demonstrate our commitment to ensuring the availability of our systems and communicating that to our clients. The Availability part of the report discusses the accessibility of our applications, our network performance monitoring, and other security-related criteria that may affect availability. 

In this post, we’ll take the opportunity to tell you about SOC 2, what it does, what this compliance requirement means to technology companies such as Oro, and what it means for our customers.

Oro SOC 2 Compliance AICPA

What is SOC 2 compliance and why it is important

Service Organization Controls (SOC 2) is a reporting mechanism developed by the American Institute of Certified Public Accountants (AICPA) specifically designed for service providers that store customer data in the cloud. This is a third-party assessment that covers the design of an organization’s controls relevant to its security, confidentiality and availability.

The SOC 2 report gives our partners, customers, and end-users the utmost confidence in Oro and its suite of products. This important milestone shows our commitment to giving customers all the necessary assurances that our system controls are up-to-date.

What SOC 2 compliance means for Oro customers

Some customers require a high-level external validation to properly assess the level of trust and security offered by a service organization. SOC 2 demonstrates that the necessary eCommerce security controls are in place at Oro for the safe and reliable handling of sensitive data.

It’s important that our existing customers understand that they can trust that we have taken all the necessary measures to protect their data. The SOC 2 certification is further proof of our commitment to constantly improve on the security, scalability, and seamlessness of Oro applications.

What was checked as part of SOC 2 compliance 

Essentially, a SOC 2 certification confirms that an entity has established the minimum level of requirements in certain areas of the organization. These range from risk assessment procedures, processes that monitor malicious activity (known or anticipated), alerts that warn of anomalies, and ways to contain, manage, and audit events in case they occur.

Some of the criteria met by Oro as part of the recent SOC 2 certification include (but is not limited to):

Control Environment

  • The entity demonstrates a commitment to integrity and ethical values.
  • The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  • Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Communication and Information

  • The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
  • The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  • The entity communicates with external parties regarding matters affecting the functioning of internal control.

Risk Assessment

  • The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  • The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • The entity considers the potential for fraud in assessing risks to the achievement of objectives.
  • The entity identifies and assesses changes that could significantly impact the system of internal control.

Monitoring Activities

  • The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  • The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Control Activities

  • The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  • The entity also selects and develops general control activities over technology to support the achievement of objectives.
  • The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

Additional Criteria

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.


Companies that accept credit cards on their website must comply with PCI DSS requirements. Oro has kept up to date and is compliant with the latest changes in PCI for its cloud-hosted family of products.

While both SOC 2 and PCI DSS deal with safety and security, there are some differences between the two. Unlike PCI DSS, which has very rigid requirements for handling payment information, SOC 2 reports are broader and unique to each organization. SOC 2 audits also focus on policy, processes, processing integrity, availability, and confidentiality of customer data.

A SOC 2 certification demonstrates that:

  • the organization’s systems are protected as specified,
  • the organization’s systems are available for operation as specified,
  • the organization has set up the necessary due diligence and training processes,
  • the organization has met established policy, process and ethics requirements.

In Conclusion

While SOC 2 compliance isn’t mandatory for most SaaS and cloud vendors, it’s invaluable as a measure of an organization’s data security. A SOC 2 audit evaluates many components, starting from the physical infrastructure and hardware, software, people, processes, and data processed by the system. PCI DSS, by comparison, also focuses on the organization’s controls, but it’s centered around securing credit card and cardholder data.

Both of these security compliances assure our customers that we have established and are constantly improving on some of the best-in-class safeguards, procedures, and policies to ensure their information stays protected. We hope this is a further indication of Oro’s ongoing commitment to safety, security, as well as its robustness as a leading B2B eCommerce platform.

Back to top