SOC2 Controls using Neon
We have recently migrated from using Google Cloud SQL to Neon. We love the solution and are pleased that we made the migration. We are now starting to prepare for our annual SOC2 audit and the solution for Neon doesn't align with the typical narrative for SOC2. I was wondering if you have any recommendations on how to present the Neon solution so it aligns with the expectations of a SOC2 auditor?
We are planning to communicate that we use the time travel feature if data becomes corrupted. Additionally, we are concerned the auditor will be bothered by our Neon data residing in a single region. One solution that would really help is the ability to configure a read replica in another region that could be used for a hot backup. If we had the read replica and time travel then I think we could work with the auditor to explain how we have a robust solution that can handle disasters. Any thoughts are greatly appreciated!
Example Controls:
* Neo.Tax performs backups daily and retains them in accordance with a predefined schedule in the Backup Policy.
* Neo.Tax tests the integrity and completeness of back-up information on an annual basis.
* Neo.Tax monitors the status of backups on a daily basis and action is taken when the backup process fails.
* Neo.Tax has an automated email sent to appropriate personnel when the backup process fails. Failed backups are resolved in a timely manner.
3 Replies
wise-white•2y ago
Hi! Neon is SOC2 compliant (https://neon.tech/docs/security/soc2-compliance). Is that not sufficient for your needs?
Once we enable Logical Replication you could have the hot replica/backup instance, but I don't yet have a timeline for LR rollout just yet.
stormy-goldOP•2y ago
neon being soc2 compliant is definitely valuable from our compliance perspective. neon is a sub-processor for neo.tax and we want as many of our sub-processors to be soc2 compliant. just like aws is a sub-processor for neon.
what i am referencing is soc2 has some standard expectations for database backups:
1. there are regular database backups
2. the database backups are checked on a regular basis
3. there is monitoring to ensure backups are being created on a daily basis
4. there is alerting if a backup fails to be generated
the old soc2 expecations are all based on a different processing model that what neon has created. i am trying to figure out how i can reframe the discussion with our auditor who is probably not familiar with neon and the approach you guys are supporting with time travel etc.
i was wondering if anyone had already been through a soc2 audit and how they adjusted the controls to justify how neon supports the rigor expected.
as a follow-up, i think this is worth neon caring about as this will be a common concern for any of your customers that have to go through soc2. the other aspect that is tough to wrangle is that soc2 advocates for multi-region deployments to have better resilence and disaster recovery.
wise-white•2y ago
@Gareth I'll follow up with the team on this question during the week.