Should service organizations that make use of a SOC 1-compliant data center be SOC1 compliant? The answer is simple; if a service organization processes data with a financial impact on behalf of the customer, it should be SOC compliant. Internal controls should be implemented logical access, security, and processing of customers’ data.

Nationaal Hypotheek Loket received an ISAE 3402 Type 1 statement and demonstrates that the processes surrounding mortgage application and risk management are controlled.