Arteria has always been deeply committed to be at the forefront of data security, availability, and confidentiality. We are delighted to announce that Arteria has obtained the certifications to back that commitment. Arteria has been awarded both ISO 27001:2013 and SOC 2 Type II certifications by the top-tier, trusted, third-party accreditation firm. This is a culmination of a marathon team effort driven by the passion to build a platform we are proud of, and our clients can implicitly trust.  

When did we start
Our journey started the moment we were born as Arteria. Given our origins (you can read about our story here), the Arteria core team was already familiar with the rigour involved in complying with these exacting standards giving us a good head-start. Since our platform has always been cloud-native (yet agnostic), we built our processes, infrastructure, development and deployment practices around principles and controls specified in these compliance standards.

Understand the “why”
The first step in every organization’s certification journey is to understand what it means to be compliant with these standards. However, all web searches lead you to quick fix solutions promising SOC2 or ISO in 14 days (or less!). If that seems too good to be true, it is, for there are no shortcuts to this journey.  

You need to keep a laser-sharp focus on the “whys”. We knew our clients demand and deserve the absolute best security assurances that we could guarantee, and we never let that target blur. The first step for us was to really understand the “spirit” of the control so that we could implement it correctly – “why” was this control necessary was the question we were constantly asking ourselves.  

SOC 2 Type II certification is not a point-in-time certification, rather one must always be in compliance with the controls over the audit period to get certified (and re-certify). Hence everybody in the company needs to be onboard with the idea and committed to the needs of all these controls.

Automation is the key
Arteria values automation as a core principle and Arterians are encouraged to have an automation-first mentality. We use industry leading toolsets to define Arteria platform as code. We created and applied rigorous coding and testing standards to every phase in the delivery pipeline. All components go through multiple automated verification jobs which stress the pipeline from security, correctness, code-styling and performance lenses.  

Automation provided us solid ground to have a proven, repeatable process and one which can be relied upon to identify and flag issues as early as possible in the pipeline. This also meant that once implemented, we were less worried about regression as we build monitors in place to notify us of any anomalies. This built trust in the process of creating, maintaining and operating infrastructure knowing that all necessary SOC 2 Type II controls were applied automatically whenever we executed our scripts. Having said that, the sheer number of controls and implementation of everyone was a daunting task early on in our journey.

How do you eat an elephant?
Agility is in Arteria’s DNA. We pride ourselves to be able to predict and react quickly to the changing needs of our clients and the market. Our projects are managed using Agile principles and we use a combination of Scrum and Kanban to manage our workload.

We followed the same Agile philosophy while implementing the controls. We kept small achievable targets, and iterated every 2 ½  days to take stock and pivot if required. The tasks which were looking impossibly complex when we started, slowly came into sharp focus as we understood the why and figured out how. Everyone in Arteria team actively collaborated to make it happen. It was a constant synergized push by the whole team which lead us to the target, one bite at a time!

Auditors want you to succeed
You cannot envy an auditor’s position. Going into this grind, we had a natural dread of being audited. However, we were pleasantly surprised when we found the auditing team to be extremely supportive and acting more like a guide than a judge at the beginning of our journey. 

The auditing team was extremely responsive and was able to help us understand the “whys” for every control. Our internal audit team helped us keep in shape as we went and did not let us regress. It was a refreshing experience and the auditing team’s guidance was instrumental in preparing us for success.

It makes you better
Although the journey was tough – and it has just started – we can confidently say that the milestone we achieved was worth it. We can see that the controls and application of the processes, procedures, and policies we created to implement these controls has made us a better team which created even better products. The key is to get buy-ins from all stakeholders and weave security and confidentiality into the fabric or who you are. Once this becomes a habit, it is no longer a chore!  

What next?
We acknowledge that the journey has just started, and these certificates are the first important milestone for Arteria. We will continue to strive for certifications and establish Arteria as the leading CLM product complying with the highest security standards. Watch this space for the next one soon!