Thinkproject solutions pass SOC 2 & C5 audits

Thinkproject has received official SOC 2 & C5 certifications for its Document & Communication Management solutions and services.


Feb. 26, 2024

The U.S. SOC 2 security standard (System and Organization Controls 2), which has been defined by the American Institute of Certified Public Accountants (AICPA), is primarily aimed at security in cloud computing, unlike standards such as ISO/IEC 27001. The standard also aims to create maximum information security for cloud services – for operators and customers alike. The audit for Thinkproject’s SOC 2 attestation was carried out by HKKG Wirtschaftsprüfungsgesellschaft, headquartered in Cologne. 

The SOC 2 test was derived from the C5 test by comparing the requirements. Thus, Thinkproject has received an attestation according to the German C5 criteria and the SOC 2 requirements at the same time. C5:2020 (Cloud Computing Compliance Controls Catalogue) is a catalogue of criteria used by the German Federal Office for Information Security (BSI) to define the requirements for secure and compliance-compliant cloud computing. If, for example, German (federal) authorities and financial institutions use cloud offerings, there is even a legal obligation to insist on compliance with the C5 criteria when awarding contracts. C5 has similar relevance for operators of critical infrastructure (KRITIS) according to the German BSI law. 

The SOC 2 and C5 criteria catalogues

The SOC 2 and C5 attestations prove that Thinkproject’s SaaS-based Common Data Environments (CDE) – CONCLUDE CDE and EPLASS CDE – have the highest level of security for cloud solutions. SOC 2 is originally a U.S. standard according to which service organisations generate reports on the status of defined internal control parameters. These parameters include the security and availability of the data, the integrity of the data processing, confidentiality and data protection aspects. 

The American Institute of Certified Public Accountants has defined this security standard in accordance with the AICPA Trust Services Principles and Criteria. Closely related to the criteria of SOC 2 is the specifically German criteria catalogue C5 of the German Federal Office for Information Security (BSI). 

An attestation according to the BSI’s C5 criteria catalogue can also be regarded as an indicator that a provider of cloud services protects its infrastructure as strongly as possible against cyberattacks. The BSI’s C5 catalogue comprises 17 categories (domains), which consist of basic criteria, additional criteria and supplementary information. 

In total, the C5 catalogue defines 127 requirements (controls) across the entire company, its processes and its personnel. For example, C5 deals with requirements relating to personnel deployed, physical security compliance, identity and rights management, communication security, cryptographic measures and key management, as well as the handling of security incidents. 

IT security is indispensable for SaaS solutions

“In Germany, C5 conformity is often a mandatory, legally required criterion for public sector tenders,” explains Dr. Ralf Hundhammer, CTO of Thinkproject. “This catalogue of requirements from the BSI has similar relevance for operators of critical infrastructure and for financial institutions. One could say that the C5 attestation of subcontractors such as Thinkproject is indispensable for operators of KRITIS to ensure verified, highest possible information security. But the triumph of cloud computing continues throughout the economy, worldwide,” says Thinkproject CTO Ralf Hundhammer.  

“Whether SOC 2 or C5 – more and more companies are paying close attention to the fact that a provider meets the relevant security standards when choosing a cloud or SaaS provider, if only out of well-understood self-interest. In this context, the great advantage of criteria catalogues such as SOC 2 and C5 is that they specifically address security in cloud computing. In the cloud sector, they have much more granular requirements than ISO 27001, for example. With the successful SOC 2 and C5 audit, we can now document that we meet all security requirements at Thinkproject: from general certification according to ISO 27001 to cloud-specific attestations. For us and for our customers, cybersecurity is rightly a topic of central importance,” he adds, “because digitalization and information security must go hand in hand.” 

Trust & compliance

Find out how we keep your data secure.

Corridor with data centres on each side