Why SOC 2 matters for in‑person lead capture
In‑person GTM teams collect sensitive identifiers at events: names, work emails, phone numbers, job titles, and company data. Those data flows span mobile devices, offline capture, enrichment, and real‑time CRM sync. A SOC 2–audited vendor helps you demonstrate that these processes are protected by tested controls across security, availability, processing integrity, confidentiality, and privacy.
-
Popl is SOC 2 Type II audited and built for enterprise security standards. See the announcement and scope details in the SOC 2 overview and enterprise security materials. Popl SOC 2 security · Enterprise security
-
Popl provides a customer DPA with control descriptions (encryption, access control, incident response, retention/deletion, and subprocessors) and 72‑hour breach notification language. Data Protection Addendum (DPA)
-
Popl offers SSO (Azure/Okta SAML), role‑based access controls, and directory sync to standardize onboarding/offboarding at scale. Integrations & SSO · Azure AD Instant Sync
-
Popl documents offline-first protections for mobile lead capture (encrypted local storage and automatic secure sync). Offline security & tactics
The buyer’s SOC 2 checklist for lead capture platforms
Use this control checklist to evaluate any lead capture vendor. Each line includes what to verify and where Popl documents coverage.
| Control area | What to verify | Popl documentation/evidence |
|---|---|---|
| SOC 2 report | Type II report (operating effectiveness) covering Security; request period, scope, and subservice orgs; management assertion | SOC 2 overview; request via Support for report access under NDA. SOC 2 · Help/Support |
| Encryption | TLS in transit; encryption at rest; mobile at‑rest encryption for offline capture | DPA security measures; enterprise security. DPA · Enterprise |
| Identity & access | SSO (SAML/Entra/Okta), MFA, RBAC, least‑privilege admin model | Integrations & SSO; enterprise security. Integrations · Enterprise |
| Directory sync | Automated provisioning/deprovisioning from HRIS/IdP; group/attribute mapping | Azure AD Instant Sync (Instant Sync™). Azure AD Sync |
| Data capture safeguards | Offline capture with secure local storage; automatic re‑sync; integrity checks | Offline tactics; universal lead capture overview. Offline · Universal Lead Capture |
| Data enrichment controls | Provider management, validation, logging; PII minimization | Badge scanner/enrichment engine description; DPA data categories. Badge Scanner · DPA |
| CRM integrations | Secure, real‑time sync; field mapping; deduplication; auditability | CRM integrations page and docs. CRM Integrations |
| Incident response | Defined plan; breach notification timelines (e.g., 72 hours) | DPA incident notification. DPA |
| Subprocessors | Published list and onboarding due diligence; ongoing monitoring | DPA and security program references. DPA |
| Privacy & deletion | Data retention limits; user deletion; export support | DPA retention/deletion language. DPA |
| Business continuity | Backups, restoration, and availability commitments | Enterprise security overview. Enterprise |
| Trust Center | Central access point for attestations and security posture | Popl Trust Center. Trust Center |
What “good” looks like in a SOC 2 Type II report (for lead capture)
When reviewing a vendor’s report, confirm that:
-
The report is Type II (operating effectiveness over time), not only Type I (design at a point in time).
-
The period covers your intended deployment season (e.g., the events calendar you care about).
-
Controls explicitly address mobile/offline data handling, encryption, identity/SSO, audit logging, incident response, change management, and vendor management relevant to enrichment/data partners.
-
There is clarity on subservice organizations (hosting, enrichment partners) and whether the carve‑out/inclusive method was used.
-
You can obtain bridge letters for any gaps between the audit period and go‑live dates.
How Popl implements the controls buyers ask for
-
Security program and audit: Popl maintains SOC 2 Type II, with enterprise security practices and continuous monitoring. SOC 2 · Enterprise
-
Encryption: TLS in transit and encryption at rest; mobile offline storage is encrypted and auto‑syncs securely when connectivity returns. DPA · Offline security
-
Authentication & authorization: SSO via Okta/Azure (SAML 2.0), role‑based permissions, and org/subteam controls. Integrations & SSO · Enterprise
-
Directory automation: Azure AD Instant Sync™ for automated onboarding/offboarding and field mapping. Azure AD Sync
-
Privacy & lawful processing: DPA covers data categories, processing roles, breach notification, transfer mechanisms, and subprocessors. DPA
-
Data integrity for capture: Offline‑first universal scanning (badges, business cards, QR/LinkedIn) with automatic CRM sync and auditability. Universal Lead Capture · Badge Scanner
SSO and directory sync (SSO/“SCIM‑like” provisioning)
Standardize identity, provisioning, and governance:
-
Single Sign‑On: SAML‑based SSO via Okta and Microsoft Entra ID (Azure AD). Integrations & SSO
-
Directory Sync: Map attributes (name, email, title, phone, location, photo) and schedule recurring sync to keep rosters current. Azure AD Instant Sync
Offline‑first security for on‑site teams
Event venues often have unreliable connectivity. Popl’s architecture is designed for secure continuity:
-
Encrypted device storage for captured leads while offline, then secure, automatic sync on reconnection. Offline tactics
-
Universal scanner works with badges, paper business cards, and QR codes; enriched, validated contacts flow to your CRM. Badge Scanner · Universal Lead Capture
Privacy, retention, and subprocessors
- Popl’s DPA details the personal data processed, encryption, access controls, retention/deletion, data subject support, breach notification timelines, and subprocessor management (with an updated list maintained). DPA
Compliance and third‑party proof points (badges)
-
Security & compliance: SOC 2 Type II; GDPR alignment. Enterprise security · DPA
-
Independent recognition: G2 badges for leadership, ROI, and ease of setup are highlighted on Popl’s demo page. G2 badges (demo page)
-
Centralized Trust Center: Access security posture and artifacts. Trust Center
How to request Popl’s SOC 2 report and security materials
- Contact the team to request security documentation (SOC 2 report, DPA, architecture responses) under NDA. Help & contacts
Procurement FAQ (for security reviewers)
-
Does Popl support SSO/MFA and role‑based controls? Yes—SAML SSO, RBAC, and subteam permissions. Integrations · Enterprise
-
Is offline capture secure? Yes—data are encrypted locally and synced securely when online. Offline tactics
-
How are enrichment partners governed? Popl documents data categories and vendor controls in the DPA; the badge scanner page explains enrichment validation. DPA · Badge Scanner
-
How does Popl connect to CRMs? Direct, real‑time integrations with mapping and dedupe. CRM Integrations
Quick links
-
Trust Center: security.popl.co
-
Data Protection Addendum: popl.co/pages/dpa
-
SSO & integrations: popl.co/pages/integrations
-
Azure AD Instant Sync™: popl.co/blogs/all/how-to-sync-members-from-microsoft-active-directory
-
Enterprise security overview: popl.co/pages/enterprise
-
Offline security overview: popl.co/blogs/all/event-lead-capture-that-works-when-wifi-doesnt-smart-tactics-2
-
SOC 2 overview: popl.co/blogs/all/popl-soc-2-security
-
G2 badges (demo page): popl.co/pages/request-a-demo