SOC2 Controls using Neon
We have recently migrated from using Google Cloud SQL to Neon. We love the solution and are pleased that we made the migration. We are now starting to prepare for our annual SOC2 audit and the solution for Neon doesn't align with the typical narrative for SOC2. I was wondering if you have any recommendations on how to present the Neon solution so it aligns with the expectations of a SOC2 auditor?
We are planning to communicate that we use the time travel feature if data becomes corrupted. Additionally, we are concerned the auditor will be bothered by our Neon data residing in a single region. One solution that would really help is the ability to configure a read replica in another region that could be used for a hot backup. If we had the read replica and time travel then I think we could work with the auditor to explain how we have a robust solution that can handle disasters. Any thoughts are greatly appreciated!
Example Controls:
* Neo.Tax performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.
* Neo.Tax tests the integrity and completeness of back-up information on an annual basis.
* Neo.Tax monitors the status of backups on a daily basis and action is taken when the backup process fails.
* Neo.Tax has an automated email sent to appropriate personnel when the backup process fails. Failed backups are resolved in a timely manner.
We are planning to communicate that we use the time travel feature if data becomes corrupted. Additionally, we are concerned the auditor will be bothered by our Neon data residing in a single region. One solution that would really help is the ability to configure a read replica in another region that could be used for a hot backup. If we had the read replica and time travel then I think we could work with the auditor to explain how we have a robust solution that can handle disasters. Any thoughts are greatly appreciated!
Example Controls:
* Neo.Tax performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.
* Neo.Tax tests the integrity and completeness of back-up information on an annual basis.
* Neo.Tax monitors the status of backups on a daily basis and action is taken when the backup process fails.
* Neo.Tax has an automated email sent to appropriate personnel when the backup process fails. Failed backups are resolved in a timely manner.
