Trust is not a security feature

Why this matters more than it used to

Not long ago, "is it secure?" was a checkbox near the end of a buying conversation. Now it's one of the first questions, and the people asking want more than a yes.

A few things pushed it up the list. Regulation keeps getting stricter. Breaches keep making the news. And businesses keep moving more of their day-to-day into software, so the cost of picking the wrong supplier keeps climbing. If you work in finance, healthcare, insurance, or the public sector, your own customers are probably already asking you these questions. Whatever platform you build on either helps you answer them or leaves you holding the bag.

A promise is not the same as proof

Plenty of vendors will tell you they follow good security practices. Far fewer can hand you independent evidence of it. That gap is where most of the real information lives.

The terms you'll run into, roughly in order of how much they tell you:

1. ISO 27001 means the vendor has a security system in place: policies, controls, and the framework around them. A good sign, and a fair foundation.
2. SOC 2 and ISAE 3000 go further. An outside auditor checks whether that system actually works and signs off on it. A Type I report says the controls are designed correctly. A Type II report says they've been running properly for months, which is the one that really tells you something.

So when a supplier says "we take security seriously," the useful reply is two words: show me. A signed, third-party report is a very different answer from a reassuring line on a pricing page.

If you're in Europe, watch the standard

This one's easy to miss. SOC 2 is the American standard. ISAE 3000 is the international one your auditors and data protection officers already work with every day.

A vendor with only a SOC 2 report is handing European buyers a document built for a different jurisdiction, something you then get to explain and defend internally. One that also reports under ISAE 3000 is speaking your auditor's language from the start. If your customers are in the EU, ask which one a supplier actually holds. The answers vary more than you'd expect.

Built in, or bolted on?

A certificate is only as good as what sits behind it, so it helps to know what good security looks like inside the product itself.

Start with access. Good systems control it down to the record, so it's not "only staff can log in" but "this person sees this file and nobody else does." When access rules live with the data, you get that for free instead of wiring it in later.

Then there's how data gets kept and deleted. Rules like the GDPR say you shouldn't retain personal data longer than necessary. A platform should let you set how long a type of record lives and handle the cleanup itself, rather than leaving it to someone to remember.

And the quiet one: a full trail of who did what. Every change logged, so "who touched this record?" always has an answer. That's the line between claiming you have controls and proving they worked.

Pulling scattered data into one place where every change is tracked is the most of the battle. See how a medical liability insurer replaced 6 legacy systems with 1 in 6 months.

Where we stand

We hold ourselves to the same test we're suggesting you apply to anyone else. VobeSoft has carried an independent [SOC 2 / ISAE 3000 Type 2] report for a couple of years now, covering the controls above, so the businesses running on our platform get that assurance built in rather than on trust. If you want to see what it covers or talk through what a single, secure home for your data would look like, we're happy to walk you through it.

‍