[{"data":1,"prerenderedAt":908},["ShallowReactive",2],{"\u002Fnow\u002Fsoc2-for-education":3,"\u002Fnow\u002Fsoc2-for-education-surround":898},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":884,"date":885,"description":886,"extension":887,"features":6,"fixes":6,"highlight":6,"image":888,"improvements":6,"meta":890,"navigation":891,"path":892,"seo":893,"stem":896,"__hash__":897},"posts\u002F3.now\u002Fsoc2-for-education.md","SOC 2 for EdTech Companies (2026)",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":859},"minimark",[16,20,23,26,31,34,57,60,79,83,86,186,189,193,200,268,274,280,284,287,290,304,307,310,321,324,328,331,348,351,357,361,364,399,402,416,420,423,428,442,446,460,464,478,482,493,497,511,515,518,529,532,538,542,545,582,585,589,592,654,657,664,668,671,674,689,692,696,752,756,759,782,785,799,803,809,815,821,827,833,836,839],[17,18,19],"p",{},"EdTech has had its compliance reckoning. A decade of \"move fast and collect student data\" gave way to state-level student privacy laws, COPPA enforcement actions, FERPA-aware procurement, and IT teams at school districts who actually read vendor risk questionnaires. SOC 2 has become the price of entry for EdTech selling anywhere above the small-business tier.",[17,21,22],{},"What makes EdTech SOC 2 distinctive is buyer diversity. A K-12 district superintendent asks different questions than a university CIO than an enterprise L&D buyer. A single EdTech product often sells into all three, plus consumer and parent-facing audiences. Your SOC 2 program has to tell a coherent story to each.",[17,24,25],{},"This guide is for EdTech founders, CISOs, and compliance leaders planning or running SOC 2. It assumes some familiarity with SOC 2 mechanics and focuses on what's specific to education — student data, FERPA, COPPA, the K-12\u002Fhigher ed\u002Fenterprise split, and running a program that matches EdTech economics.",[27,28,30],"h2",{"id":29},"why-soc-2-matters-in-edtech","Why SOC 2 Matters in EdTech",[17,32,33],{},"Three buyer segments drive SOC 2 demand:",[35,36,37,45,51],"ul",{},[38,39,40,44],"li",{},[41,42,43],"strong",{},"K-12 school districts and state education agencies."," District IT and procurement increasingly treat SOC 2 as baseline for any SaaS handling student data. State-level student privacy laws add teeth.",[38,46,47,50],{},[41,48,49],{},"Higher education."," University CIOs, CISOs, and procurement run vendor risk management programs that explicitly require SOC 2. EDUCAUSE HECVAT alignment is common.",[38,52,53,56],{},[41,54,55],{},"Enterprise L&D and corporate training."," HR tech and learning platforms selling into enterprise face the same procurement rigor as any B2B SaaS.",[17,58,59],{},"Each segment has different priorities. K-12 cares about FERPA, COPPA (for under-13), state laws (especially California SOPIPA, Colorado SB 190, Illinois SOPPA), and parent transparency. Higher ed cares about FERPA, research data, and institutional autonomy. Enterprise cares about HR data, integration security, and workforce privacy.",[17,61,62,63,68,69,73,74,78],{},"For foundational material, see the ",[64,65,67],"a",{"href":66},"\u002Fframeworks\u002Fsoc2","SOC 2 framework hub",", ",[64,70,72],{"href":71},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria page",", and our ",[64,75,77],{"href":76},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS companies guide",".",[27,80,82],{"id":81},"education-regulatory-landscape","Education Regulatory Landscape",[17,84,85],{},"EdTech sits at the intersection of multiple regulatory regimes:",[87,88,89,105],"table",{},[90,91,92],"thead",{},[93,94,95,99,102],"tr",{},[96,97,98],"th",{},"Framework",[96,100,101],{},"Who It Applies To",[96,103,104],{},"Focus",[106,107,108,120,131,142,153,164,175],"tbody",{},[93,109,110,114,117],{},[111,112,113],"td",{},"FERPA",[111,115,116],{},"Schools receiving federal funds + vendors acting as \"school officials\"",[111,118,119],{},"Education records privacy",[93,121,122,125,128],{},[111,123,124],{},"COPPA",[111,126,127],{},"Services directed at under-13 or with actual knowledge of under-13 users",[111,129,130],{},"Parental consent for PII collection",[93,132,133,136,139],{},[111,134,135],{},"State student privacy laws (30+ states)",[111,137,138],{},"EdTech vendors serving K-12 in those states",[111,140,141],{},"Data use limits, disclosure, security",[93,143,144,147,150],{},[111,145,146],{},"GDPR",[111,148,149],{},"EU student data",[111,151,152],{},"Personal data protection",[93,154,155,158,161],{},[111,156,157],{},"HIPAA",[111,159,160],{},"Education-health intersection (campus health, behavioral health programs)",[111,162,163],{},"PHI",[93,165,166,169,172],{},[111,167,168],{},"PCI DSS",[111,170,171],{},"Tuition and fee payment processing",[111,173,174],{},"Card data",[93,176,177,180,183],{},[111,178,179],{},"Section 508 \u002F ADA",[111,181,182],{},"Digital accessibility",[111,184,185],{},"Accessible design",[17,187,188],{},"SOC 2 doesn't replace any of these. It's the operational security and trust artifact that customers layer on top of regulatory compliance. A well-scoped SOC 2 program addresses the operational controls that satisfy most of the security elements of the above regulations.",[27,190,192],{"id":191},"trust-services-criteria-for-edtech","Trust Services Criteria for EdTech",[17,194,195,196,199],{},"Every SOC 2 includes ",[41,197,198],{},"Security"," (Common Criteria). For EdTech, the other criteria map to specific use cases:",[87,201,202,212],{},[90,203,204],{},[93,205,206,209],{},[96,207,208],{},"Product Type",[96,210,211],{},"Recommended Criteria",[106,213,214,222,230,238,246,254,261],{},[93,215,216,219],{},[111,217,218],{},"Learning management system",[111,220,221],{},"Security + Availability + Confidentiality",[93,223,224,227],{},[111,225,226],{},"Assessment platform",[111,228,229],{},"Security + Availability + Processing Integrity + Confidentiality",[93,231,232,235],{},[111,233,234],{},"Student information system",[111,236,237],{},"Security + Availability + Confidentiality + Privacy",[93,239,240,243],{},[111,241,242],{},"Learning analytics",[111,244,245],{},"Security + Confidentiality + Privacy",[93,247,248,251],{},[111,249,250],{},"Tutoring \u002F homework help",[111,252,253],{},"Security + Availability + Privacy",[93,255,256,259],{},[111,257,258],{},"Enterprise L&D",[111,260,221],{},[93,262,263,266],{},[111,264,265],{},"K-12 curriculum platform",[111,267,253],{},[17,269,270,273],{},[41,271,272],{},"Processing Integrity"," matters for assessment platforms (grades must be accurate) and any product with academic or compliance consequences.",[17,275,276,279],{},[41,277,278],{},"Privacy"," is worth strong consideration for any consumer-facing EdTech product, especially those serving K-12. Parent and regulator expectations are high.",[27,281,283],{"id":282},"ferpa-and-soc-2-different-animals-aligned-goals","FERPA and SOC 2 — Different Animals, Aligned Goals",[17,285,286],{},"FERPA is a federal law with specific requirements for education records. SOC 2 is a CPA-firm attestation report on operational controls. They're not the same, but they align.",[17,288,289],{},"FERPA requires your EdTech product, if acting as a \"school official\" for a covered school, to:",[35,291,292,295,298,301],{},[38,293,294],{},"Perform institutional services the school would otherwise perform",[38,296,297],{},"Be under direct control of the school regarding use and maintenance of records",[38,299,300],{},"Not use or re-disclose education records beyond authorized uses",[38,302,303],{},"Use reasonable methods to protect records",[17,305,306],{},"SOC 2's Common Criteria, especially around access controls, audit logging, vendor management, and incident response, directly support FERPA's \"reasonable methods\" requirement. A SOC 2 report is often accepted as evidence of FERPA compliance by district IT teams.",[17,308,309],{},"The gaps SOC 2 doesn't fill:",[35,311,312,315,318],{},[38,313,314],{},"Your contractual FERPA addendum with the school district (required)",[38,316,317],{},"Specific FERPA-required safeguards and disclosure limitations",[38,319,320],{},"Parent access rights (FERPA doesn't technically create parent rights against vendors, but many states extend them)",[17,322,323],{},"Most EdTech vendors draft a FERPA addendum (separate from their DPA) that addresses the specific FERPA obligations, then reference SOC 2 for operational security.",[27,325,327],{"id":326},"coppa-considerations","COPPA Considerations",[17,329,330],{},"If your product directs at under-13 users or you have actual knowledge of under-13 users, COPPA applies. COPPA requires:",[35,332,333,336,339,342,345],{},[38,334,335],{},"Parental consent before collecting PII from under-13 users",[38,337,338],{},"Notice of collection practices",[38,340,341],{},"Parental access, correction, and deletion rights",[38,343,344],{},"Reasonable security",[38,346,347],{},"Retention limits",[17,349,350],{},"SOC 2's Privacy criteria align with COPPA's security and data handling requirements but don't automate parental consent workflows. If you serve K-12, include Privacy criteria in your SOC 2 and build your consent workflow as a COPPA-specific capability.",[17,352,353,354,356],{},"Our ",[64,355,77],{"href":76}," covers Privacy criteria in more detail.",[27,358,360],{"id":359},"scoping-edtech-soc-2","Scoping EdTech SOC 2",[17,362,363],{},"A typical EdTech SOC 2 scope includes:",[35,365,366,369,372,375,378,381,384,387,390,393,396],{},[38,367,368],{},"Student-facing application infrastructure",[38,370,371],{},"Teacher\u002Finstructor-facing infrastructure",[38,373,374],{},"Administrator dashboards",[38,376,377],{},"Roster integration systems (Clever, Classlink, OneRoster, LTI\u002FLTI Advantage)",[38,379,380],{},"Analytics and learning data warehouse",[38,382,383],{},"AI\u002FML infrastructure for personalization or content",[38,385,386],{},"Assessment and proctoring systems",[38,388,389],{},"Customer support and operations tooling",[38,391,392],{},"Identity and access management",[38,394,395],{},"Monitoring, logging, alerting",[38,397,398],{},"Vendor ecosystem",[17,400,401],{},"Scoping mistakes common in EdTech:",[35,403,404,407,410,413],{},[38,405,406],{},"Excluding the analytics environment because \"it's derived data.\" If it contains student data, it's in scope.",[38,408,409],{},"Missing legacy roster sync infrastructure that still handles student PII.",[38,411,412],{},"Excluding parent portals when they contain student information.",[38,414,415],{},"Ignoring marketing and sales tools that have imported district rosters for outreach (an increasingly common finding).",[27,417,419],{"id":418},"student-data-as-sensitive-data","Student Data as Sensitive Data",[17,421,422],{},"Your SOC 2 should treat student data with the same seriousness as PHI or financial data. Specific control depth:",[424,425,427],"h3",{"id":426},"access-controls","Access Controls",[35,429,430,433,436,439],{},[38,431,432],{},"Role-based access at tight granularity (teacher-to-class, not teacher-to-school)",[38,434,435],{},"District-level isolation in multi-tenant deployments",[38,437,438],{},"Access reviews for district admin accounts specifically",[38,440,441],{},"Service account minimization",[424,443,445],{"id":444},"roster-integration-security","Roster Integration Security",[35,447,448,451,454,457],{},[38,449,450],{},"Secure integration with Clever, Classlink, OneRoster",[38,452,453],{},"LTI 1.3 \u002F LTI Advantage for embedded tools",[38,455,456],{},"OAuth2 and SAML for authentication",[38,458,459],{},"Rostering data validation and error handling",[424,461,463],{"id":462},"student-data-handling","Student Data Handling",[35,465,466,469,472,475],{},[38,467,468],{},"Minimum necessary — if you don't need home address, don't ingest it",[38,470,471],{},"Retention policies aligned to school year and district retention norms",[38,473,474],{},"Deletion workflows for students leaving districts",[38,476,477],{},"Data portability for transfer students",[424,479,481],{"id":480},"parent-access","Parent Access",[35,483,484,487,490],{},[38,485,486],{},"Where law requires parent access, provide it",[38,488,489],{},"Parent-facing interfaces with appropriate authentication",[38,491,492],{},"Audit logs of parent access",[424,494,496],{"id":495},"content-moderation-where-applicable","Content Moderation (where applicable)",[35,498,499,502,505,508],{},[38,500,501],{},"User-generated content policies",[38,503,504],{},"Moderation tooling",[38,506,507],{},"Reporting mechanisms",[38,509,510],{},"COPPA-aware interactions",[27,512,514],{"id":513},"integration-with-hecvat-casbo-and-district-questionnaires","Integration with HECVAT, CASBO, and District Questionnaires",[17,516,517],{},"Higher ed procurement commonly uses the HECVAT (Higher Education Community Vendor Assessment Toolkit). K-12 procurement uses a variety of district-specific or state-specific questionnaires. SOC 2 dramatically reduces the burden of answering these:",[35,519,520,523,526],{},[38,521,522],{},"Many HECVAT questions map directly to SOC 2 controls",[38,524,525],{},"District IT teams often accept SOC 2 Type II in place of detailed security questionnaires",[38,527,528],{},"State-level questionnaires (e.g., California CSPA addendum) often have SOC 2 reference paths",[17,530,531],{},"Build a questionnaire response library mapped to your SOC 2 report. Maintain standard answers for common questions. The time savings compound over the sales year.",[17,533,534,535,537],{},"For more, see our ",[64,536,77],{"href":76}," on questionnaire efficiency.",[27,539,541],{"id":540},"k-12-vs-higher-ed-vs-enterprise-the-same-soc-2","K-12 vs Higher Ed vs Enterprise — the Same SOC 2",[17,543,544],{},"Your SOC 2 report is the same across all three buyer segments. What differs is how you contextualize it:",[87,546,547,557],{},[90,548,549],{},[93,550,551,554],{},[96,552,553],{},"Buyer Segment",[96,555,556],{},"Supplementary Artifacts",[106,558,559,567,575],{},[93,560,561,564],{},[111,562,563],{},"K-12 districts",[111,565,566],{},"FERPA addendum, state-specific student data agreements (SDPA), COPPA compliance documentation, privacy policy, parent-facing transparency",[93,568,569,572],{},[111,570,571],{},"Higher education",[111,573,574],{},"HECVAT Lite or Full, FERPA addendum, research data governance, accessibility documentation (WCAG, Section 508)",[93,576,577,579],{},[111,578,258],{},[111,580,581],{},"DPA, ISO 27001 (helpful), HR data handling documentation, integration security documentation",[17,583,584],{},"The SOC 2 report is the trust anchor. Around it you build segment-specific artifacts.",[27,586,588],{"id":587},"edtech-cost-economics","EdTech Cost Economics",[17,590,591],{},"EdTech margins are tighter than most SaaS. Budget accordingly:",[87,593,594,604],{},[90,595,596],{},[93,597,598,601],{},[96,599,600],{},"Line Item",[96,602,603],{},"Typical Cost",[106,605,606,614,622,630,638,646],{},[93,607,608,611],{},[111,609,610],{},"SOC 2 Type II audit",[111,612,613],{},"$25K–$75K",[93,615,616,619],{},[111,617,618],{},"Readiness assessment",[111,620,621],{},"$10K–$30K",[93,623,624,627],{},[111,625,626],{},"Penetration testing",[111,628,629],{},"$15K–$40K per engagement",[93,631,632,635],{},[111,633,634],{},"GRC platform",[111,636,637],{},"$15K–$60K annual",[93,639,640,643],{},[111,641,642],{},"Internal staffing",[111,644,645],{},"$80K–$200K annual",[93,647,648,651],{},[111,649,650],{},"Accessibility testing (often parallel need)",[111,652,653],{},"$15K–$40K annual",[17,655,656],{},"Timeline: 8–14 months from standing start to Type II. Faster is possible with strong engineering foundations and dedicated focus.",[17,658,353,659,663],{},[64,660,662],{"href":661},"\u002Fnow\u002Fsoc2-cost-breakdown","SOC 2 cost breakdown"," has more detailed modeling.",[27,665,667],{"id":666},"type-i-vs-type-ii-for-edtech","Type I vs Type II for EdTech",[17,669,670],{},"Education buyers are mixed on Type I. K-12 districts sometimes accept Type I as evidence you're on the journey. Higher ed and enterprise increasingly want Type II.",[17,672,673],{},"The pragmatic path:",[675,676,677,680,683,686],"ol",{},[38,678,679],{},"Type I at month 4–6 — unlock early K-12 and select higher ed deals",[38,681,682],{},"Type II observation period starts immediately",[38,684,685],{},"Type II delivered at month 10–14 — unlock higher ed and enterprise",[38,687,688],{},"Annual Type II cadence thereafter",[17,690,691],{},"Do not drop Type II once you have it. A lapse signals program weakness to every buyer segment.",[27,693,695],{"id":694},"common-pitfalls-for-edtech-soc-2","Common Pitfalls for EdTech SOC 2",[35,697,698,704,710,716,722,728,734,740,746],{},[38,699,700,703],{},[41,701,702],{},"Under-including analytics and AI infrastructure in scope."," Student learning data analytics are in scope if they contain student data.",[38,705,706,709],{},[41,707,708],{},"Ignoring COPPA for any under-13 audience."," Even accidental (you're \"not targeting kids\" but kids use your product).",[38,711,712,715],{},[41,713,714],{},"Sloppy data deletion."," Students leave districts, schools change vendors, parents request deletion. Weak deletion workflows are a SOC 2 finding and a state law violation.",[38,717,718,721],{},[41,719,720],{},"Misunderstanding FERPA relationship."," SOC 2 doesn't replace FERPA addenda.",[38,723,724,727],{},[41,725,726],{},"Accessibility as afterthought."," Not a SOC 2 requirement, but a procurement requirement alongside it.",[38,729,730,733],{},[41,731,732],{},"State student privacy law ignorance."," California, Colorado, Illinois, and a dozen others have specific requirements. Being out of compliance damages your SOC 2 credibility.",[38,735,736,739],{},[41,737,738],{},"Weak parent-facing controls."," Parent portals, parent notifications, parent consent mechanisms should be as robust as teacher or admin-facing controls.",[38,741,742,745],{},[41,743,744],{},"Insufficient rostering security."," Integrations with Clever\u002FClasslink\u002FOneRoster handle huge volumes of student PII. Security gaps there are high-impact.",[38,747,748,751],{},[41,749,750],{},"AI\u002FML without governance."," Using student data for model training without documented consent and controls.",[27,753,755],{"id":754},"how-to-get-started","How to Get Started",[17,757,758],{},"If you're an EdTech startup:",[675,760,761,764,767,770,773,776,779],{},[38,762,763],{},"Identify buyer segments and understand their compliance expectations",[38,765,766],{},"Map existing controls against SOC 2 Common Criteria",[38,768,769],{},"Identify required Trust Services Criteria based on product",[38,771,772],{},"Get Type I at month 4–6",[38,774,775],{},"Layer in FERPA addendum template, COPPA compliance (if applicable), state SDPA templates",[38,777,778],{},"Type II at month 10–14",[38,780,781],{},"Build questionnaire response library mapped to your report",[17,783,784],{},"If you're an established EdTech scaling:",[675,786,787,790,793,796],{},[38,788,789],{},"Audit existing SOC 2 scope against current product footprint",[38,791,792],{},"Confirm state law compliance alongside SOC 2",[38,794,795],{},"Evaluate Privacy criteria addition if not already included",[38,797,798],{},"Build artifacts ecosystem (FERPA, HECVAT, SDPAs) aligned to your report",[27,800,802],{"id":801},"faq","FAQ",[17,804,805,808],{},[41,806,807],{},"Q: Do we need SOC 2 to sell to K-12?","\nA: Technically no; practically yes if you're selling at scale. Small, localized, or pilot sales may not require it. District-wide, state-wide, or multi-district sales will.",[17,810,811,814],{},[41,812,813],{},"Q: Can we skip Privacy criteria if we already comply with FERPA and COPPA?","\nA: You can, but including Privacy criteria signals maturity to buyers and regulators. For K-12-focused EdTech, it's worth the investment.",[17,816,817,820],{},[41,818,819],{},"Q: Is HECVAT the same as SOC 2?","\nA: No. HECVAT is a questionnaire developed by EDUCAUSE for higher ed vendor risk assessment. SOC 2 is an independent attestation report. Most EdTechs complete HECVAT by referencing their SOC 2 where applicable.",[17,822,823,826],{},[41,824,825],{},"Q: What about state student privacy laws like California SOPIPA?","\nA: These layer on top of SOC 2. Your SOC 2 program satisfies operational security expectations; state laws add specific data use restrictions, disclosure limits, and sometimes assessment obligations. Address them in your state-specific contracts and privacy documentation.",[17,828,829,832],{},[41,830,831],{},"Q: How do we handle international student data in EdTech?","\nA: International students in US schools are covered by FERPA. EU students accessing US EdTech products trigger GDPR. International schools using your product trigger local laws. A well-designed SOC 2 with Privacy criteria and jurisdictional documentation handles most of this; specific regulations still apply on top.",[834,835],"hr",{},[17,837,838],{},"EdTech in 2026 is more regulated, more procurement-savvy, and more demanding than ever. A well-run SOC 2 program — anchored in education-specific sensitivities and supplemented with FERPA, COPPA, and state-law documentation — is the foundation for EdTech companies selling at scale.",[17,840,841,842,68,845,73,848,852,853,78],{},"For more, see the ",[64,843,844],{"href":66},"SOC 2 hub",[64,846,847],{"href":71},"Trust Services Criteria",[64,849,851],{"href":850},"\u002Findustry\u002Feducation","education industry resources",". Ready to run compliance on a platform built for SaaS economics? ",[64,854,858],{"href":855,"rel":856},"https:\u002F\u002Fepiski.app",[857],"nofollow","Start with episki",{"title":860,"searchDepth":861,"depth":861,"links":862},"",2,[863,864,865,866,867,868,869,877,878,879,880,881,882,883],{"id":29,"depth":861,"text":30},{"id":81,"depth":861,"text":82},{"id":191,"depth":861,"text":192},{"id":282,"depth":861,"text":283},{"id":326,"depth":861,"text":327},{"id":359,"depth":861,"text":360},{"id":418,"depth":861,"text":419,"children":870},[871,873,874,875,876],{"id":426,"depth":872,"text":427},3,{"id":444,"depth":872,"text":445},{"id":462,"depth":872,"text":463},{"id":480,"depth":872,"text":481},{"id":495,"depth":872,"text":496},{"id":513,"depth":861,"text":514},{"id":540,"depth":861,"text":541},{"id":587,"depth":861,"text":588},{"id":666,"depth":861,"text":667},{"id":694,"depth":861,"text":695},{"id":754,"depth":861,"text":755},{"id":801,"depth":861,"text":802},"practices","2026-04-15","A practical SOC 2 guide for EdTech companies in 2026 — FERPA overlap, student data protection, K-12 vs higher ed vs enterprise buyers, and building a program that fits EdTech economics.","md",{"src":889},"\u002Fimages\u002Fblog\u002Fteam.jpg",{},true,"\u002Fnow\u002Fsoc2-for-education",{"title":894,"description":895},"SOC 2 for EdTech Companies (2026 Complete Guide)","SOC 2 for EdTech companies in 2026 — FERPA overlap, COPPA considerations, student data protection, K-12 \u002F higher ed \u002F enterprise buyer expectations, and audit timelines.","3.now\u002Fsoc2-for-education","gX0cxTadp8Fhr8Q3s7iT-kl84rnRjXUDweyV_4bTFww",[899,903],{"title":900,"path":661,"stem":901,"description":902,"children":-1},"The Real Cost of SOC 2 in 2026: A Complete Breakdown","3.now\u002Fsoc2-cost-breakdown","A transparent breakdown of SOC 2 costs in 2026 — auditor fees, tooling, internal time, and practical ways to reduce your total compliance spend.",{"title":904,"path":905,"stem":906,"description":907,"children":-1},"SOC 2 Compliance for Financial Services (2026)","\u002Fnow\u002Fsoc2-for-finance","3.now\u002Fsoc2-for-finance","How banks, fintechs, and financial services firms approach SOC 2 in 2026 — scoping, interaction with SOX and regulatory expectations, and running SOC 2 alongside PCI and FFIEC programs.",1776395330956]