Spare Interview: Spare CTO Alexey Indeev explains how and why Spare became fully SOC-2 and HIPAA compliant

We’re certified! Spare becomes the first on-demand transit software provider to be fully SOC-2 and HIPAA compliant. Spare CTO Alexey Indeev explains how and why we took this step.


Niklas MeyMonday, July 19, 2021

Spare uses data like true origin-destination, as well as personal health and identity information, to help transit agencies deliver more efficient and personalized microtransit and paratransit. For instance, we collect customer health forms to enable the digital processing of paratransit applications through our customer relationship management tool Spare Engage.

As keepers of this data, we have a responsibility to prevent harmful data breaches, which can be economically devastating for a business and its customers. That’s why we decided to work with an external auditor and make all our products and processes meet the stringent requirements outlined in the SOC-2 security compliance framework and under the Health Insurance Portability and Accountability Act (HIPAA). We’re proud to announce that we succeeded and are the first on-demand transit software provider to be fully compliant with both.

Spare Chief Technology Officer Alexey Indeev shares more about why we took these steps, how we adapted our products and processes and why others in the industry should do the same.

What’s the goal of SOC-2 and HIPAA regulations?

SOC-2 is a widely used security framework. A compliant system is one that assures the security, processing integrity, confidentiality, and privacy of customer data.

HIPAA is different — it’s an American law that protects an individual’s health data while still allowing information to flow in order to provide them with high-quality healthcare services.

What do software makers have to do to comply with each?

In general, it means following secure development practices and ensuring that customer data and health information is stored and processed in ways that minimize the risk of data falling into the wrong hands.

There is no one specific way to “be secure”, but by following strong industry standards for storing and processing data we can be confident that we’re as up to date as possible.

We’re the first on-demand transit software maker to officially achieve SOC-2 and HIPAA compliance. Why did we take this step and why now?

Compliance is not currently standard in our industry. Despite Spare working with mobility providers around the world, we’re still a relatively young company with a lot of flexibility in both our products and processes. It’s much easier to update these now and simply maintain that strong security framework going forward rather than adopting it later when Spare’s footprint grows.

We already had an incredibly secure product so adopting the SOC-2 framework wasn’t a huge lift. But it helps us explain to our partners exactly what we’re doing to keep their data safe.

In terms of HIPAA — we’re expanding rapidly into the paratransit eligibility space with our CRM Spare Engage, which supports our operational platform for paratransit. This solution can really help transit agencies digitize, automate and speed up the paratransit eligibility process. To do this, we need to store lots of personal health information so it was important for us to meet HIPAA standards as prescribed by the law.

Why should transit agencies care if their technology partners are SOC-2 and HIPAA compliant?

If the software partner is not SOC-2 or HIPAA compliant then transit agencies need to be doing their own due diligence. The financial and reputational risks are simply too high to look the other way. But this is often an incredibly time-consuming task. Requiring partners to perform their own audits through a trained auditor not only reduces the risk of a data breach but saves the agency a lot of time and money.

What did Spare actually have to do to achieve compliance?

There is of course a strong technology component. For instance, we started tracking our dependency vulnerabilities and set up a process for regularly patching our software. We also improved how we access our production services and added a layer of security.

But security compliance has a strong people factor and you are only as secure as your weakest link. The entire company has to be trained on best security practices with clear guidelines and policies. We also had to ensure that customer data is only accessed on a need-to-know basis and that there are clear access policies in place.

---

To find out more about Spare’s security processes and compliance with other data protection standards like GDPR and SSO, check out our complete security and privacy policies. Want to know more about how we’re securing user data in Spare? Reach out to us at [email protected]