Compliance / SOC 2
The audit framework a lot of your clients' own customers require them to answer for — and that requirement flows straight down to you as their MSP.
If a client answers to SOC 2 (increasingly common the moment their own customers are enterprise or handle sensitive data), their auditor will ask about vendor security — which means your access to their systems, your credential handling, and your own security posture become part of their audit evidence, whether or not you signed up for that directly.
This describes what the module tracks against SOC 2 — not a claim that Nexus or any client on it is certified or audited against it. See the compliance & QBR module for the full picture, or read the blog for more on how we think about compliance tooling.
A widely-adopted, vendor-neutral structure for cybersecurity posture — Identify, Protect, Detect, Respond, Recover — that shows up in RFPs, cyber-insurance questionnaires, and board conversations alike.
If any client handles protected health information, HIPAA's Security Rule reaches your MSP the moment you touch their systems — business associate agreement or not.
Any client that takes card payments — a retail shop, a restaurant, a small e-commerce operation — answers to PCI-DSS, and their network security posture is frequently the MSP's responsibility to maintain.
Join the design-partner cohort and we'll walk through the control mapping for your own clients.