Why Your CMS Needs SOC 2 Compliance

Will Ezell

What if you had to submit your website to a third party for review and they found you were not meeting industry security standards? What if the third party was a government agency that looks out for consumers' best interests such as the Federal Trade Commission or European Union Agency for Network and Information Security?

The risks of running your CMS on an insufficently secured platform are many, from reputational damage, to multi-million dollar ransomware demands, to civil penalties and damages that can be incurred - the cost of insecurity can quickly add up. Standards like SOC 2 (System and Organization Controls 2) are designed to assess and report on how companies are doing in regards to their security, data management processes, business continuity practices and their preparedness for security and compliance risks in their IT systems.

This blog post will explore the risks associated with non-compliance and how a SOC2-compliant CMS helps protect your company by ensuring adherence to information security standards.

What Is SOC2?

SOC 2 is a report created by the American Institute of CPAs, that evaluates how well an organization, be it a software provider or any other company, provides a safe operating environment that protects the organization and the client's data privacy. SOC 2 reports explore the placement of the internal data governance controls within an organization.

What Does It Mean To Be Compliant?

SOC 2 compliance assesses how effective your organization's security practices and controls are. For a CMS, to be compliant means that all the data stored within it is safe and protected against unauthorized access and malicious actors, that the engineering efforts that support and maintain the system are all secured and that the organization has the proper policies to govern hiring, personelle and operations. Choosing a SOC 2-compliant CMS means that you're choosing a platform that takes pride in its security practices and is prepared to protect your data and assets.

Read More: What Is SOC2 And Why Is It Important?

What Is the Difference Between SOC 2 Type I and Type II?

Despite the similarities in name, SOC 2 Type I and Type II are of very different scopes. The SOC 2 Type I report measures security controls at a point in time, whereas a SOC 2 Type II report is a living audit and reports on ongoing opererations over an extended peroid of time. This is really the difference between claiming that a service is secure and compliant vs. actually proving that the service is secure and compliant over time. It is important that any service you rely upon be SOC 2 Type II compliant and have demonstrated proper security and controls over time.

Why a CMS Needs to Be SOC 2-Compliant

Simply put, a SOC 2-compliant CMS commits to protecting your data and privacy. Still, apart from the solid gains in user trust that compliance gives, there are other technical and operational reasons why CMSs need to pursue SOC 2 compliance. SOC 2 reports are built upon five criteria.

  • Security (madatory)
  • Availability (optional)
  • Confidentiality (optional)
  • Processing Integrity (optional)
  • Privacy (optional)

In any SOC2 report, the Security critera is mandatory and is at the core of the report, whereas the the other four critera are optional.


A SOC-2 compliant CMS is protected against malicious actors, unauthorized access, and inappropriate disclosure of information. A compliant CMS offers you firewalls, data encryption, and two-factor authentication.


One of the markers of a SOC 2-compliant CMS is that it can operate at all times. A SOC-compliant CMS like dotCMS leverage a CDN to guarantee availability to meet your company's objectives. Also, a SOC-compliant CMS needs to offer performance monitoring, proper data handling, and have disaster recovery methods to ensure your data is always reachable.

Processing Integrity

Processing Integrity is specifically targeted to services that transact money, such as credit card processors. Processing integrity ensures that transactions that are processed in a system are complete, valid, accurate, and timely. A SOC 2 audit for Processing Integrity ensures that the system has no errors in transactions that could compromise your data integrity or operations. It also ensures that if any error appears, it can be quickly contained and corrected.


CMSs need to protect their users' data confidentiality and restrict it to a specified set of people and organizations. A compliant CMS ensures that all your intellectual property stays protected and confidential and that only people with the appropriate clearance can access it. It also ensures that your company data stored in dotCMS is encrypted at rest, will never be misused and will be wiped clean upon request.


Privacy is specifically targeting secure services that store personal identifiable information such as social security numbers or personal health care data. Compliance ensures that the all such personal data is encrypted and safeguards your data and assets..

dotCMS: A SOC 2-compliant CMS

Because dotCMS was not intedend to transact or store personal information, we opted to report on Secrity, Availability and Confidentically, all of which are important attestations for our cloud customers.

SOC 2 is one of the highest security compliance standards in the business world and signals dotCMS' commitment to security and data protection. A CMS that's compliant with SOC 2 gives you an extra layer of security and the peace of mind you need to scale your operations.

We've implemented a set of certified security processes and controls to help protect the data entrusted to us through the dotCMS Security and Privacy Policies. This helps us comply with security and privacy certifications, standards, and regulations. This includes SOC 2, ISO 27001, GDPR, and the EU-U.S. Privacy Shield.

dotCMS is SOC 2 certified for operational security and meets these standards. We selected BARR Advisory, an independant Security Auditing and Consulting firm to perform our third party audit and to report on our privacy, security, and availability to ensure that they exceed industry standards. 3rd party audits also ensure that the CMS authoring environment and delivery layer meet the latest security standards.

If you're interested in knowing more about our data privacy and security policies, read our whitepaper Website Compliance in 2021: Delivering Accessible Digital Experience with dotCMS.

Will Ezell
Chief Technology Officer
October 20, 2021

Filed Under:

security soc2

Recommended Reading

Mastering the New Universal Visual Editor in dotCMS: A Technical Deep Dive for Developers

Explore dotCMS's Universal Visual Editor, merging WYSIWYG simplicity with headless CMS flexibility. This tool offers drag-and-drop editing, inline content editing, and NoCode tooling for seamless omni...

Benefits of a Multi-Tenant CMS and Why Global Brands Need to Consolidate

Maintaining or achieving a global presence requires effective use of resources, time and money. Single-tenant CMS solutions were once the go-to choices for enterprises to reach out to different market...

Headless CMS vs Hybrid CMS: How dotCMS Goes Beyond Headless

What’s the difference between a headless CMS and a hybrid CMS, and which one is best suited for an enterprise?