Enterprise clients increasingly expect some degree of audit/risk management. AWS, for example, has a laundry list of reports attesting to the controls that they have in place. Has Storj considered working with an auditor to determine what can and cannot be done?
This question about SOC2 is over a year old with no responses. Just wondering how Storj reps respond to a customer question about this topic? Without an answer to this, I wouldn’t feel comfortable trying to sell an enterprise on Storj.
For example, would you say, “SOC2 is mainly to ensure you that data centers full of humans who can access your data, don’t do so inappropriately. With Storj, we don’t have data centers. We don’t have any humans who can touch a whole file. So asking Storj for a SOC2 audit is like asking a self-driving vehicle for its drivers license. What you really want is an independent code audit. And we have those. Here they are…”
Questions about compliance come up from time to time and the question is very timely as this is an initiative on which we are currently working.
That analogy gets pretty much to the core of the issue - when data is end-to-end encrypted and highly distributed, the insider risk is significantly reduced. In addition to independent code audits, there are some other aspects to the security and availability of data that we’re addressing in terms of audits, process controls, policies, etc.
The service is very secure and we are going through the process right now to complete the steps around the audit processes and creating the familiar artifacts associated with demonstrating that we have the required controls in place.
Privacy, security, and compliance in the context of decentralized systems will be one of the topics of the September Let’s Talk Storj webinar, so keep your eye out for the announcement for that event. Should be a good one!