Recurve is pleased to announce that it has received SOC 2 Type II certification.

After undergoing a rigorous third party audit and analysis of Recurve’s platform security, internal systems and controls, and professional penetration testing of our system, we are now certified SOC2 compliant (Description Criteria section 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report (AICPA, Description Criteria). 

The energy transition begins and ends with data. Every decision regarding energy management needs to be inclusive of both past and future grid impact. Using data to understand how behind the meter interventions change energy consumption is the key to designing performance-based markets and virtual power plants that address both immediate grid challenges and meet the urgent need to rapidly decarbonize. Having confidence in the data we share and use is a Step 1 issue. 

In order to make use of this data, utilities must ensure that private information is secure, fully anonymized and that sensitive customer information can never be compromised. 

That's why data security is, and has always been, part of Recurve's DNA. Third-party verified SOC 2 certification demonstrates that we are living up to our principals and ensuring that our security controls meet the highest standards in the industry. 

What is SOC 2 Certification?

Initially established by the American Institute of Certified Public Accountants (AICPA), a service organization controls (SOC) report is a tool to verify that a company is following best practices across a range of metrics. SOC 2 reports provide specific external assurance that a company or organization is providing a particular service securely. 

SOC 2 reports are based on a set of trust principles rather than rigid security standards. Each certified business or organization designs its own controls based on these trust principles, which are then third-party verified. Recurve has been vetted on the basis of the following trust criteria:

• Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives. 
• Availability – Information and systems are available for operation and used to meet the entity’s objectives.
• Confidentiality – Information that is designated “confidential” is protected to meet the entity’s objectives.

To qualify, Recurve agreed to terms with Linford & Co LLP, a Certified Public Accounting firm composed of former “Big Four” auditors and Information Security experts, for a comprehensive, company-wide audit. Recurve’s Demand Flexibility Management Platform, as well as the information technology (IT) infrastructure, systems and other internal controls used to support these services, were audited. The scope of the examination included evaluating key entity-level controls such as the control environment, risk assessment, information and communication, monitoring processes, and control activities.

The audit procedures were conducted in accordance with guidance established by the AICPA. Controls were applied that were established by management that are specific to the services provided by Recurve. Risks and control gaps were identified through interviews with management and other employees involved in the operations, reviews of the existing processes were conducted (e.g., walkthroughs) and all existing documentation related to the control criteria was reviewed. At the conclusion of the examination, Linford & Co issued their SOC 2 report. 

With security challenges that grow more complex each day, it is critical that any company that makes use of sensitive data establish robust processes and controls to ensure that it is kept safe. We strongly encourage all SaaS companies to pursue SOC 2 in order to shore up their own processes and provide assurance to their customers. 

If you have any questions about Recurve's systems and organization controls, feel free to contact us.