Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.

Security Questions needed for SOC2 Compliance


Our company is SOC2 compliant and we are being asked due to the changes in SOC2 to have the following questions answered. We have not been able to get answers from Gurock/TestRail and I am wondering if anyone else is having this issue or if anyone else has received answers? Any help is greatly appreciated!!

  1. Has their security policy changed since March of 2016? Is it reviewed on a regular basis?
  2. Are TestRail employees required to use 2-factor authentication to access the production environment? (we want to know if the answer to this has changed since last year)
  3. Does the application support 2-factor authentication for our access to the services? They said this was on their feature request list. Has it been implemented?
  4. Do you have a status page for notifying customers of any interruption of service:? Last year they said this was on the to do list, has it been implemented?
  5. What is the timeframe in which you notify customers of security incidents which may affect their data and/or services? How does that notification occur? (has their answer changed since last year?)
  6. They said they never delete our backup data in 2016. Has this changed?


Hi Mary,

Thanks for your post! Can you send an email into so we can address your concerns? This would be the best approach for security related questions/concerns. We look forward to your email!



Hi Madmarytappe,

Were you able to get a response from Gurock on this? Please let me know.