As detailed in a previous blog post, Sekoia has been certified PCI-DSS level 1.
This means that any card-processing company can now consider using Sekoia for their SIEM requirements.
You can get access to our AOC (Attestation of Compliance) on trust.sekoia.com.
Our journey
Being PCI certified is a long journey. We started two years ago when we were discussing an extension of our coverage with a customer. This customer was processing card data and consequently had to be partnering with PCI-compliant security solutions to monitor its perimeter. We were already providing our SaaS SOC platform at this time, but not a certified solution and that was a problem for their compliance.
We then decided to open a new cloud region with a high-grade level of security and compliance for high-demanding customers such as our first sponsor.
It approximately took us two years between the early discussions and the certification. This improvement period allowed us to make a huge step forward.
Maybe the hardest task for us was to have everything documented. Many processes or mechanisms were sound but were not completely formalized or assigned. This is done now!
Our security level
Sekoia was born out of a passion for security, so it was fitting for us to incorporate our security principles and expertise in our posture to offer excellence to our customers.
While cybersecurity is a crucial feature of a SaaS product, its security level is primarily derived from the overall practices of the entire company.
The involvement of management in the security program, mature HR and IT processes, a strong commitment from the staff to security, etc.., all these activities will directly impact the security of your product.
This is why it is important to have this holistic approach, or as they say, run a tight ship.
For those interested, we have created our Security Whitepaper, which is the explanation of all our security enforcement at the company level. This Security Whitepaper is also available on trust.sekoia.com.
Compliance automation with Drata
When we started our compliance journey, we had in mind that we would need a solution to consolidate our evidence in a structured library.
We did not want to do it only for PCI DSS but also for other frameworks that would be required in the future along our expected compliance milestones.
We chose Drata because the platform could simultaneously help us consolidate our evidence while also automating and accelerating the compliance process across the organization.
Using Drata's automation, we are able to ensure that a specific control remains in compliance in addition to to having it assigned to several frameworks, which optimizes our time by eliminating the need for repeated tasks.
On Sekoia's Trust Center, powered by Drata, we showcase some continuous monitoring controls that are in place for Sekoia. Customers can also easily request access for specific documents, such as an AOC, for instance.
Our compliance roadmap
We started with PCI DSS but we will continue in 2024 with other certifications that can show how our solution is able to meet the needs of our high demanding customers, either because they are regulated themselves or because they want trusted partners.
Our next milestones will be ISO27001, SOC 2, SecNumCloud (SaaS level) and probably others.
Today we consider ourselves to be a strategic provider for our customers. We cherish the trust they place in us and that’s why we set the bar at the highest level in terms of security to protect their data and make them safer thanks to our SOC platform.
