4 minutes

Obsidian’s Security and Privacy Compliance Journey

The objective of Data Privacy Week has always been to remind individuals that their privacy is important, and that they have a right to make informed decisions about where their data resides and how it is handled. At the same time, this week should remind organizations that building mutual trust with customers, employees, and partners is only possible if the security and privacy of their data is maintained with unwavering commitment.

From our earliest days, Obsidian Security has been on a mission to ensure that our customers can protect their SaaS applications, evolve their security programs, and keep their data safe. In order to succeed in this mission, not only do we have to deliver unrivaled value to our customers, but also demonstrate that we take our security and privacy—and by extension, their security and privacy—seriously. Whether it’s by the nature of our product or the security background of our founders and many of our staff, this mission is an integral part of Obsidian’s DNA.

In 2019, Obsidian first completed our SOC 2 Type 2 assessment and received the first of many flawless reports. Just last month, we followed this up with ISO 27001 and ISO 27701 certifications for security and privacy along with our Microsoft Supplier Security and Privacy Assurance (SSPA) assessment. 

As of the time I’m writing this, Obsidian is the only SaaS security startup to have achieved all of these credentials. These credentials serve as a critical part of our continued commitment to championing security and privacy and fostering an environment of mutual trust.

In the spirit of Data Privacy Week, I wanted to take this opportunity to reflect on each of these certifications and attestations, explore what they mean for our customers and for the market, and show why exactly they matter.


SOC 2 for Service Organizations is the collective set of criteria developed by the American Institute of CPAs which defines security standards for Service Organizations. These standards cover best practices in security, availability, processing integrity, and confidentiality which are known collectively as trust services criteria. In addition, SOC 2 is broken down into two types of reports: Type 1 and Type 2.

The Type 1 report describes the service that is offered and defines the sets of controls that map to the trust services criteria. The Type 2 is where the rubber meets the road. In the Type 2 report, the service organization has to demonstrate the design suitability and operational effectiveness of the controls defined and implemented in the Type 1 to meet the requirements of the trust services criteria.

ISO/IEC 27001 & 27701

ISO/IEC 27001 is the International Organization for Standardization’s standard for developing and managing Information Security Management System (ISMS). ISO 27701 is the related extension for developing and managing an associated Privacy Information Management System (PIMS). 

Microsoft SSPA

Microsoft Supplier Security and Privacy Assurance Program (SSPA) is Microsoft’s assessment to ensure its suppliers achieve and maintain compliance with its strict data protection requirements for data security and privacy. This is a requirement for any supplier processing personal or confidential data on behalf of Microsoft or any of its related companies.

What does it all mean?

With routine headlines announcing the latest security breaches and emerging privacy concerns, it can understandably feel like the cybersecurity landscape is trending towards greater risk each day. As a result, these areas are becoming increasingly regulated, and the market demand for vendor compliance with the highest security and privacy standards continues to grow. It’s not entirely surprising that many organizations won’t even consider vendors that are unwilling or unable to invest in such table stakes capabilities and credentials.

Obsidian decided early on that the investment in these capabilities and credentials was a worthwhile one. Our internal security-first culture and our external commitment to our customers and partners drove us to validate our security and privacy practices through rigorous independent assessment. In the end, these credentials matter because they matter to our customers and to the market as a testament that we’re serious about our commitment and our broader role in the security world.