OpenVPN Announces SOC 2® Compliance

OpenVPN is proud to announce successful completion of the System and Organization Controls (SOC) 2®, AICPA Certification examination on December 8, 2023. This examination, along with additional recent security validation, reaffirms OpenVPN’s dedication to protecting our customers. In order to meet the SOC 2® standards, OpenVPN was required to demonstrate strict information security practices, policies, procedures, and operations standards for security, availability, and confidentiality.

"Over the last year, our teams have worked tirelessly behind the scenes, completing a number of security audits,” says Francis Dinha, Co-Founder and CEO of OpenVPN. “As a result, we're excited to announce OpenVPN has recently received our SOC 2® certification, reinforcing our continued focus on building best-in-class products with best-in-class, built-in security. The report highlights what our 18,000 customers already know — security and privacy is priority number one for OpenVPN and is foundational to how we operate."

What is SOC 2® compliance and why does it matter? 

A December 2023 independent study published by Apple found the epidemic of data breaches more than tripled between 2013 and 2022, leaving over 2.6 billion personal records exposed in the past two years alone. 

The report also stated: “The target for cybercriminals was very clear, with a 2023 survey finding that over 80 percent of breaches involved data stored in the cloud. This is after attacks targeting cloud infrastructure nearly doubled from 2021 to 2022. This is due in part to the increased targeting of consumer data by ransomware gangs and coordinated campaigns that compromised vendors or their products to target customers.”

With more and more data being processed, stored, and accessed in cloud environments, it is critical for SaaS companies to ensure the most stringent and uniform security practices. SOC 2® is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA), with the primary purpose of ensuring that third-party service providers store and process client data in a secure manner.

SOC 2® Reports help companies achieve that goal and are considered the “gold standard” for security compliance, internal processes, and organizational compliance awareness in SaaS companies. They require periodic maintenance, meaning compliance is an ongoing practice. These reports provide industry-wide acknowledgment that a company adheres to “trust service principles” such as Security and Confidentiality.

The SOC 2® accreditation audit is a months-long process that involves multiple teams and departments within OpenVPN. As a business, completing our SOC 2® certification demonstrates our dedication to protecting our customers and their data. 

“OpenVPN has always worked hard to maintain the highest levels of security around our products and customers,” says Brian Litzinger, head of security for OpenVPN. “In the past year we have invested substantial time to reduce the compliance burden for our customers. To that end we are excited to announce that OpenVPN Inc, Access Server, and Cloud Connexa are SOC 2® Compliant AICPA certified. Over the next year we will be adding additional certifications.”

TL;DR: Bad actors are continually looking for ways to get your data — and your customers’ data. The SOC 2® certification and our additional security measures reflect our continued efforts to stop bad actors, effectively protecting both you and your customers. 

Beyond SOC 2® compliance: OpenVPN's enhanced security measures

Gaining our voluntary SOC 2® security certification is just one of our many efforts to maintain a secure environment for our users. OpenVPN’s Cloud Connexa and Access Server are built on the OpenVPN protocol, which is continually evaluated for vulnerabilities and exposures. 

Collectively, these audits are an indicator of our quality of work and commitment to security and serve as an important marker on our roadmap to growth. 

Some of the additional measures OpenVPN takes include, but are not limited to: 

• All OpenVPN employees are required to use OpenVPN and SSO. 
• OpenVPN encrypts your data. 
• OpenVPN has designed a risk assessment program to assess the organization's enterprise-level risk at least annually or upon significant changes to the environment.
• OpenVPN's vulnerability management program ensures the confidentiality, integrity, and availability (CIA) of the organization's information systems landscape, which includes all critical system resources.
• OpenVPN adopts its system hardening settings from the most restrictive baselines from Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), and/or public CSP baseline configurations.
• OpenVPN continually seeks third-party certification and validation of our security procedures.

How to obtain OpenVPN’s latest SOC 2® security compliance report

Transparency is critical in keeping your business secure. OpenVPN is happy to share our current and past security reports, including our past vulnerabilities and advisories. OpenVPN is continually seeking security validation, including ongoing SOC 2® compliance. To get a copy of OpenVPN’s SOC 2® report, reach out to a member of the OpenVPN team here. To learn more about OpenVPN’s security protocols, read up on our latest security advisories.