Free Assessment

Narva Software SOC 2 Readiness in Record Time with Axipro

Featured Partner

Vanta

Product

SOC 2

Industry

IT Services and IT Consulting

Company size

2-10 employees

Location

Kerpen, Germany

Narva Software SOC-2 Readiness Axipro

Share This Post

Narva Software, a leading Atlassian partner based in Germany, achieved SOC 2 readiness faster than expected, thanks to Axipro’s expert guidance and structured approach.
With a clear plan, hands-on support, and seamless collaboration, the Narva Software SOC 2 readiness journey became smooth, efficient, and stress-free.
If you’re preparing for SOC 2 and want a faster, less stressful path, this success story will show you how.

About Narva

Narva Solutions UG, known as Narva Software, is headquartered in Kerpen, Germany.
 The company builds innovative apps for Jira and Confluence, helping teams work smarter, collaborate better, and manage projects with greater efficiency.

Their solutions include:

  • Embedding external content into Confluence for richer documentation.
  • Exporting Confluence content quickly for sharing and reporting.
  • Enhancing Jira workflows with pre-built templates and labels.
  • Adding advanced capabilities to Confluence, such as LaTeX formula support.

Serving a global customer base, Narva Software is committed to delivering tools that make teamwork simpler and more effective.
When the time came to pursue SOC 2 compliance, they knew they needed a partner who could make the process clear, fast, and painless.

The Compliance Challenge

For Narva Software, achieving SOC 2 readiness was more than a checkbox. It was a way to strengthen customer trust, open doors to enterprise contracts, and demonstrate a strong commitment to data security.

However, the path to compliance came with challenges:

  • Understanding Vanta and configuring it for SOC 2 requirements.
  • Creating and refining the right security and operational policies.
  • Coordinating efforts without disrupting daily business operations.

They needed end-to-end guidance, a partner who could simplify the process while ensuring every requirement was met.
If this sounds familiar, you’re not alone. Many fast-growing companies face these same hurdles before they find the right compliance partner.

Why Narva Software Chose Axipro

Narva Software selected Axipro because of our proven record in helping companies achieve SOC 2, ISO 27001, HIPAA, and GDPR compliance.
As the Most Reviewed DRATA Partner, we are known for delivering results with speed, precision, and minimal disruption to business operations.

Our approach goes beyond simply “getting the badge.” We focus on building a compliance framework that strengthens operations and supports long-term growth.
For Narva Software’s SOC 2 readiness, they wanted a trusted partner who could own the process from start to finish, and that’s exactly what we delivered.

The Axipro Solution

We began by creating a structured, milestone-driven plan tailored to Narva Software’s timeline and business priorities.
Each stage was designed to make progress measurable and predictable.

Our team:

  • Guided Narva Software step-by-step through the Vanta platform.
  • Assisted in creating and refining the required SOC 2 policies.
  • Provided templates, best practices, and direct implementation support.
  • Coordinated closely with audit partner Johanson Group to ensure full readiness.

Because the plan was crystal clear, the Narva Software SOC 2 readiness process moved quickly, allowing their team to stay focused on building great products.
If you’ve been delaying compliance because it feels overwhelming, imagine what your team could accomplish with this kind of structured support.

Results Achieved

Narva Software reached full SOC 2 readiness faster than anticipated. The process delivered:

  • Well-documented and fully implemented security policies.
  • Confidence in meeting every SOC 2 requirement.
  • A smooth handoff to the audit partner with no last-minute issues.

With compliance in place, Narva Software is now positioned to attract more enterprise clients and strengthen its market credibility.
 Fast compliance, minimal disruption, and zero guesswork, that’s the Axipro difference.

Customer Satisfaction

Narva Software expressed genuine satisfaction with the results.
They appreciated how the SOC 2 readiness process was not only fast but also well-organized and easy to follow.
The team highlighted Axipro’s clear guidance, efficient use of the Vanta platform, and ability to keep the project on track without slowing down their core development work.

In their words, the journey to compliance felt “smooth, structured, and surprisingly quick” — exactly the outcome they were hoping for.

Your Compliance Success Story Starts Here

The Narva Software SOC 2 readiness success demonstrates what’s possible when expert guidance meets proven processes.
 At Axipro, we help businesses achieve SOC 2, ISO 27001, HIPAA, and GDPR compliance faster, with less stress, and without sacrificing productivity.

Whether you’re starting your first compliance project or preparing for a renewal audit, we can help you build the right roadmap and get you there with confidence.

Contact us today to begin your own compliance success story.

Secure Data Disposal ISO 27001 SOC 2 GDPR

Secure Data Disposal: ISO 27001, SOC 2 & GDPR Requirements

Pedro Dias June 3, 2026 7:11 am

Researchers who buy second-hand drives off online marketplaces keep finding the same thing: live data.  A widely cited study by Blancco Technology Group found that 42% of used drives sold on eBay still held recoverable information, including financial records and personal data the previous owners assumed was long gone. The drives were not hacked; they were thrown away by organizations that treated deleting a file as the same thing as destroying it. Secure data disposal is where many compliance programs fail. ISO 27001, SOC 2, and GDPR all demand it, but they describe it in different languages, enforce it through different mechanisms, and punish failure in very different ways.  This article sets out what each framework requires, where the requirements overlap, and how to run a single disposal program that satisfies all three at once. Why Secure Data Disposal Matters Across Compliance Frameworks Disposal is the last link in the data lifecycle, and the easiest one to skip. An organization can run flawless access controls, encryption, and monitoring for years and still cause a reportable breach the moment one unwiped laptop leaves the building. A recoverable drive in a recycling skip is functionally identical to an open database on the internet, and auditors and regulators know it. Most disposal failures are unforced errors: a control that was already written into policy but never carried through to the actual hardware. The gap between having a disposal policy and proving this specific drive was destroyed is exactly where audits and breach investigations live. Defining Secure Data Disposal: Key Terms and Concepts What Is Secure Data Disposal? Secure data disposal is the end-to-end process of removing data and the equipment that holds it from active use, in a way that prevents its recovery. It covers the full lifecycle end: deletion of data while a system is still live, sanitisation of media that will be reused, physical destruction of media that will not, and the safe handling of equipment that is recycled, returned to a lessor, or sold. Disposal is the goal. The methods are how you get there. What Is Secure Data Destruction? Secure data destruction is the subset of disposal that renders media permanently unusable or its contents mathematically irretrievable. Shredding a drive, pulverising it, incinerating it, or destroying the encryption keys that make an encrypted disk readable are all forms of destruction. Destruction is one route to disposal, and it is the right route when the data is highly sensitive, or the media will never be reused. Secure Data Disposal vs. Secure Data Destruction: What Is the Difference? The distinction matters more than it looks. Disposal is the outcome you owe to every framework: data gone, unrecoverable, equipment handled appropriately. Destruction is just one of the methods. You can dispose of data without destroying the hardware by sanitising a drive thoroughly enough to reuse it. Confusing the two leads to two classic mistakes: destroying assets that could have been securely wiped and reused, and assuming a quick deletion counts as disposal when it does not. Important: Emptying the recycle bin, formatting a drive, or hitting delete does not dispose of data under any of these frameworks. Standard deletion only removes the pointer to the data; the bits remain until they are overwritten. Every framework discussed here expects the data to be unrecoverable, which is a far higher bar than not visible. What ISO 27001 Requires for Secure Data Disposal ISO/IEC 27001 handles disposal through a small cluster of Annex A controls that auditors read as a single process rather than in isolation. The two controls that do most of the work are 7.14 and 8.10. For a deeper look at how these controls fit into a broader compliance program, see our ISO 27001 implementation guide. ISO 27001 Annex A 7.14: Secure Disposal or Re-Use of Equipment Annex A 7.14 is a physical control. Before any equipment is disposed of or reused, the organisation must check whether it holds information assets or licensed software and ensure those are permanently erased or the media physically destroyed. It applies to servers, laptops, desktops, mobile devices, printers, network gear, and any storage media: if it ever processed information, it is in scope. The control replaces the older 2013 clause 11.2.7 and adds explicit expectations around removing identifying markings and handling end-of-occupancy scenarios. ISO 27001 Control 8.10: Information Deletion Annex A 8.10 is a technological control, and it focuses on the data rather than the box. It requires information stored in systems, devices, or media to be deleted when it is no longer required, and rendered unrecoverable. The cleanest way to keep these straight: 8.10 governs the data while it is in use or reaches its retention limit; 7.14 governs the hardware at end of life. Most retention-driven deletion sits under 8.10; most decommissioning sits under 7.14. ISO 27001 Control 8.12: Data Leakage Prevention and Its Role in Disposal Control 8.12 is rarely filed under disposal, but improperly discarded media is one of the oldest data leakage channels there is. A drive that leaves your control with recoverable data on it is a leak, regardless of how it left. Treating disposal as part of your leakage prevention posture forces the right question at the right time: what could walk out the door on this device, and has it actually been removed? Physical Destruction and Irretrievable Erasure Under ISO 27001 ISO 27001 offers two broad routes: physically destroy media that holds information, or erase and overwrite it so retrieval by a malicious party is precluded. The standard cross-references ISO/IEC 27040 for detailed sanitisation methods. The unifying requirement is that recovery should be impractical, not merely inconvenient. Deletion alone never satisfies this. Overwriting, Full-Disk Encryption, and Other Approved Methods Overwriting user-accessible storage with multiple passes is acceptable for many sensitivity levels. Full-disk encryption changes the economics of disposal entirely: if a device is encrypted from day one and the keys are properly managed, secure disposal can be as simple as destroying the keys, a technique known as

Read More »
Business Continuity Plan Testing for SOC 2

Business Continuity Plan Testing for SOC 2

Pedro Dias June 2, 2026 2:06 pm

A business continuity plan that has never been tested is, to a SOC 2 auditor, a document and nothing more. The Availability criteria do not award credit for a polished plan sitting in a shared drive. They ask for evidence that you ran the plan, watched it work or fail, recorded what happened, and fixed what broke. That gap — between having a plan and proving it works — is where most availability findings originate. Business continuity plan testing for SOC 2 is the exercise that turns your plan into auditable evidence. It maps directly to Availability criterion A1.3, one of the few SOC 2 controls that explicitly requires you to test something rather than merely document it. This guide covers what counts as a valid test, the test types auditors accept, a step-by-step process, the exact evidence you need, and the mistakes that turn a routine review into a finding. What Is Business Continuity Plan Testing in the Context of SOC 2? Business continuity plan (BCP) testing is the structured validation of whether your organization can keep critical operations running — and restore them within defined targets — during a disruption. In a SOC 2 context, the testing is not freeform. It must produce dated, traceable evidence that the recovery procedures in your plan actually work, that the people involved know their roles, and that systems and data come back within your stated recovery objectives.   Why SOC 2 Requires Business Continuity Plan Testing SOC 2 is an attestation against the AICPA’s Trust Services Criteria, and the Availability category exists specifically for organizations that make uptime or resilience commitments to customers. A plan you never exercise cannot demonstrate operating effectiveness over the audit period — which is the entire point of a Type 2 examination. Testing is the control that converts a static plan into a recurring, observable activity an auditor can sample. SOC 2 Trust Services Criteria and BCP Testing Requirements Availability is one of the five Trust Services Criteria, and it is optional, included only when your service commitments warrant it. When in scope, it is built around three sub-criteria: A1.1 addresses capacity management. A1.2 addresses recovery infrastructure and backup processes. A1.3 addresses the testing of recovery procedures. BCP testing lives squarely in A1.3, with A1.2 supplying the backups and infrastructure that the test validates. Availability Criteria A1.2 and A1.3 Explained Per the AICPA’s Trust Services Criteria, A1.2 requires the entity to design, implement, operate, and monitor environmental protections, recovery infrastructure, and data backup processes that meet its availability objectives. In plain terms: you need real backups, stored away from production, with recovery infrastructure ready to use. A1.3 then requires the entity to test recovery plan procedures supporting system recovery to meet its objectives. The two work as a pair: A1.2 builds the capability, A1.3 proves it functions. Important: The most common A1.3 gap is not a missing test. It is a test that never validated the recovery objectives. Teams run a tabletop, write “no issues found,” and move on — but the plan claims a 4-hour RTO that no one ever measured against an actual restore. If your plan states recovery targets, your test evidence must show whether you met them. A test that does not measure against your RTO and RPO leaves the most important question unanswered.   What Auditors Look for During a BCP Test Review Auditors want proof that the test happened, proof that it was meaningful, and proof that it led somewhere. Concretely, that means a test plan with a defined scenario, a dated record of execution with participants, results measured against your recovery objectives, a list of gaps or issues found, and evidence that those issues were remediated. A test that finds nothing and changes nothing is treated with suspicion — because real tests almost always surface something.   Types of Business Continuity Plan Tests Accepted for SOC 2 SOC 2 does not mandate a specific test type. It expects the rigor of the test to match the criticality of what you are protecting. The four common approaches sit on a spectrum from low-effort, low-disruption to high-effort, high-assurance. Tabletop Exercises A tabletop exercise is a facilitated discussion where key personnel talk through a disruption scenario and their responses. It is cheap, fast, and excellent for confirming that people understand their roles and that the plan reads coherently. Its limit is obvious: nobody actually recovers anything. For many organizations a tabletop is a legitimate annual test, especially in the first audit cycle, but auditors expect more rigor as a program matures. Walkthrough and Simulation Tests A simulation applies a specific scenario and asks the team to perform recovery actions, not just describe them. It is more involved than a tabletop and far better at exposing the gaps that only appear when people touch the tools. Simulations are where teams discover that a runbook references a system that was decommissioned, or that the on-call engineer lacks the access the plan assumes. Full Interruption Tests A full interruption test shuts down primary systems and shifts operations entirely to the recovery environment. It is the most comprehensive validation available and the only one that proves your failover genuinely works end to end. It also carries real operational risk, so it demands thorough planning and is usually reserved for mature programs and the most critical systems. Parallel Testing Parallel testing activates recovery systems alongside production without taking the primary offline, then compares the two to confirm the recovery environment performs as expected. It delivers much of the assurance of a full interruption test while sparing the business the disruption. For most SaaS and cloud-hosted services, parallel testing of failover and restore is the sweet spot between confidence and risk. How to Test Your Business Continuity Plan for SOC 2 Compliance The sequence below aligns with the contingency planning process in NIST’s Contingency Planning Guide, SP 800-34, which auditors widely treat as authoritative for resilience practices. Each step produces an artifact, and the artifacts together form

Read More »