Why SOC 2 certification is the new standard for security in research administration

By Elizabeth Midgorden posted 09-03-2020 19:35


Reposted blog by Cayuse's Sam Balooch. 

Research administration technology has improved a lot in the past few years. Research organizations are moving to the cloud and enjoying the benefits of data being stored remotely, instead of on-premise. When you use Cayuse’s cloud-based platform, you enjoy things like:

  • Easy access anywhere with internet
  • Improved collaboration for administrators, researchers, and committees
  • Instant, no-hassle upgrades and feature enhancements
  • No infrastructure costs or capital expenses from hardware purchases
  • Fast implementations that shorten ROI and don’t tax your IT department
  • No IT needed for ongoing maintenance, upgrades, data backups, or disaster recovery

But not all cloud-based research software is equally safe. Just because data is stored in the cloud doesn’t mean it’s protected. 

If you’re thinking of moving research administration to the cloud–and who isn’t?–you’ll want to go with a vendor that takes the security of your data as seriously as you do. The very best protection is signified by a vendor achieving the System and Organizational Controls (SOC) 2 certification.

What is SOC 2 certification?

SOC 2 is a voluntary certification that software vendors can earn if independent auditors verify that they meet extremely rigorous standards. SOC 2 certification encompasses five areas:

  • Security: access management, infrastructure and data protection, incident response, etc.
  • Availability: redundant power systems, fire detection, temperature control, etc.
  • Processing integrity: backups, file integrity monitoring, protection from modification, etc.
  • Confidentiality: encryption, firewalls, confidentiality agreements, authorization, etc.
  • Privacy: retaining and disposing of information

“SOC 2 sets the new standard for how SaaS companies handle customers’ data,” writes software management company Cleanshelf. 

It’s not enough for a software company to say, “We use Amazon Web Services (AWS), and they’re SOC 2 certified,” because your data could be compromised between when you enter it into the software and when it’s stored in the cloud. You want to make sure that your software provider upholds the highest security standards and operational practices, so your info is protected every step of the way. It’s like a leaky bucket–you don’t want to pour water into a bucket with any holes anywhere, not just at the bottom. A hole on the side is just as bad!

So why should you care? Doesn’t your IT department handle all that? Sometimes yes, but let’s talk about why security, confidentiality, and availability are so important for research administrators.


In the same way that you don’t want anyone to steal your credit card information, you don’t want anyone hacking in and accessing your research administration data. And it’s important that your software allows different levels of access–a principal investigator needs to access different data than a post-award administrator or an IRB committee chair. The best software will distinguish between these user roles so no one is seeing something they shouldn’t.


Research involves a lot of sensitive information, especially when it involves human subjects. HIPAA requires you to protect people’s health information and only disclose it under certain circumstances. The rules are very detailed, so you want software that will protect the confidentiality of your research through strong encryption. On the flip side, you don’t want anyone to have access to that data after they shouldn’t (for instance, years after a study is over), and a SOC 2-certified vendor will have clear guidelines on how long they retain your data and when it’s deleted.


Ever since COVID-19, working from home is the new norm for many in the research community. You need to be able to access your information anywhere. Not only that, but you need to know it’s backed up regularly in case of an emergency, and that plans are in place to recover from any outages or downtime.

Why Cayuse is SOC 2 compliant

Your security is really important to us, and we believe in being transparent about the level of security you can expect from Cayuse software. That’s why we invested the time and effort in becoming the first and only research administration software company to be SOC 2 certified. We meet the highest standards in safety, confidentiality, and availability so you can have peace of mind that you’ve chosen the best vendor and can trust our security.

To learn more about why you can trust Cayuse and see our SOC 2 report, visit our trust page here >>