September 28, 2022

Understanding SaaS Compliance – SSAE 18 / SOC 1 / SOC 2

The software publishing industry has experienced significant growth in the past 5 years and projected to continue at a significant pace (2%-5%) as businesses and consumers increase spending and invest in new technology. software-industry-breakdown-2012

Businesses account for almost 82% of all software related spending with Finance and Insurance leading the pack. Many of the new enterprise software solutions produced now include a SaaS offering (sometimes the sole option), intended to reduce IT overhead / infrastructure compatibility issues and allow more flexible licensing options.

SaaS solutions let a business leave the development and maintenance to the experts and focus on enhancing operations and securing new business. However, these benefits bring additional compliance concerns that software developers and even the end users must concern themselves with as increased oversight and growing demand for industry regulations continue.


Users of SaaS Products in the Enterprise

Businesses are making use of SaaS applications more than ever, but, trusting operations and confidential data with another company can be nerve racking. However, use can also relieve a number of headaches that come with upgrading to the latest software or even worse, developing internally.


  • Reduce the need to hire expensive IT personnel to develop and maintain the software and infrastructure
    • Your developer isn’t the only one with knowledge, so, they cannot hold you hostage!
    • Prevent costly failed development attempts (knowing the business and ability to develop software don’t always align as well as hoped)
  • Reduce IT infrastructure costs (no need to add servers or face compatibility issues)
  • Easier to switch solutions if a better one is available (no infrastructure!)
  • Reduction in compliance issues as controls would be the responsibility of the SaaS provider.


  • Reliance upon another company for business operations and hosting of confidential data.
  • Unable to customize software to business operations as much as an internally developed solutions.
  • Cannot guarantee bug fixes and security vulnerabilities are addressed timely.

So how do you know the application provider is performing their duties appropriately in a controlled, stable, and secured environment? This concern is what SOC 1 (SSAE 16) and SOC 2 seek to address.

SaaS Developers / Providers

Operating a third party hosted solution brings additional responsibility that a software developer didn’t have to be concerned with in saas ssae 16 soc 1 soc 2the past. SaaS providers must be dependable – keeping the system online, functional and secure for your customers that depend on it. To obtain this assurance, many companies require proof that your business has proper controls in place and reviewed by a third party accounting firm. Controls for these services usually are designed based on a combination of security, confidentiality, availability, processing integrity and privacy principles. The appropriate combination will depend upon the product/service offered, level of data confidentiality required, and any customer specific requirements/requests.

Whether you develop software solutions for health care, finance, government or other industry, it is common to see a SOC 1 or SOC 2 as a prerequisite in RFPs. The SOC 2 report is typically the most appropriate for a SaaS solution, but, a SOC 1 (SSAE 16 – now SSAE 18 as of May 1, 2017) is the most requested (although not always the most relevant). The cost for an audit can vary greatly depending on the number of controls, size of the company, and complexity of the IT infrastructure.

From insider scandals to outside threats, the protection of corporate and personal information is the corner stone of information security compliance.  Obtaining a current SOC 1 (SSAE 16/18) or SOC 2 audit report can be a significant differentiator within your industry and provide value to new and current customers.


Contact Skoda Minotti

Please complete the form below to contact Skoda Minotti for additional information and note any relevant information that may help us fulfill your request.

* indicates required field


  1. hosting de calitate

    I could happily take the headaches from the software upgrade than keep using these versions

  2. Most of the new company computer software solutions created now add a SaaS featuring (sometimes the sole option), designed to minimize THE ITEM cost to do business or commercial infrastructure compatibility problems and allow a lot more adaptable licensing possibilities ninja blender reviews.

  3. I’m a bit paranoid when it comes to security so I totally agree with this article. Thanks!

  4. that graphic is from 2012. I wonder how much the figures have changed since then. Does anyone have an update on that?