We are thrilled to announce that CockroachDB Dedicated, the fully managed service of CockroachDB, is now PCI-DSS certified by a Qualified Security Assessor (QSA) as a PCI Level 1 Service Provider. The PCI-DSS was created by the PCI Security Standards Council - an organization formed in 2006 by the major credit card associations (Visa, American Express, MasterCard and JCB). The mission of this council is to establish a “minimum security standard” to protect customers’ payment information. Any business that handles credit card and payment data is required to conform to that minimum standard referred to as the Payment Card Industry (PCI) Data Security Standard (DSS).

Back in April 2021, Cockroach Labs completed our first SOC 2 Type II audit. Now, thanks to collaboration between multiple teams led by the Compliance team, we have completed our second. As CockroachDB continues to evolve and add new products and features, we need to ensure that those new products and features meet various sets of security and compliance standards. This latest SOC 2 Type II audit covers a full 12 month review period for both of CockroachDB’s managed services offerings, CockroachDB Dedicated and CockroachDB Serverless. But before we get more in-depth on this new addition, let’s quickly recap what a SOC 2 Type II audit covers and why it’s important.

I was hired as the compliance manager at Cockroach Labs in November 2020 to help support the compliance workstreams that sprawl across multiple business units. Compliance can be a daunting task for organizations, even if they have a mature security posture, as compliance and security are often linked together but they are not the same thing. Cockroach Labs completed our first SOC 2 Type II audit in April 2021. In this blog post, I will cover details about: What compliance is, When organizations should start to think about compliance, What are common the compliance frameworks that organizations will be audited against, Where to start your company’s compliance journey, and How Cockroach Labs built a set of internal controls to be audited against SOC 2 Type II Trust Services Criteria.