Learn About SOC 2

SOC 2 is a compliance standard (not a certification) that specifies how companies should manage general customer data. SOC 2 guidelines are built on five sets of standards.

Frequently Asked Questions

What is SOC 2?

SOC 2 (Service Organization Control) is the standard of the AICPA that is widely considered the benchmark for trust in the cloud industry.

What are the five sets of SOC 2 standards?

1
Confidentiality
Confidential information is protected.
2
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies. Unlike the confidentiality section, the privacy section only applies to personal information.
3
Availability
Your information and systems are available for operation and use.
4
Processing integrity
System processing is complete, valid, timely, authorized, and accurate. Throughout the course of data processing, customer data remains correct.
5
Security
Your systems and the data you store are protected against unauthorized disclosure and unauthorized access.

How many types of SOC 2 compliance exist?

There are two types of SOC 2 compliance – Type 1 and Type 2.

Type 1 is point in time, whereas Type 2 is assessed over a period of time, and therefore more difficult to achieve.

Why is SOC 2 important?

Demonstrating that you’re SOC 2 compliant is important because it demonstrates that your company has adequate, effective controls in place to govern how information is handled within the business.

This is a more reliable process than simply giving your word to enterprise clients that you have sufficient security protocols in place to protect sensitive general data, since a SOC 2 audit is performed by an independent third-party auditor.

In turn, this adds tangible credibility to the security features that your company has in place.

Is SOC 2 compliance mandatory?

SOC 2 is a voluntary compliance standard, however that doesn’t mean your company won’t need it.

Some enterprise clients that deal with large volumes of data may require partnering companies to remain SOC 2 compliant, in order to ensure every possible protection is in place to secure their confidential data and prevent data leaks.

It may be a mandatory requirement for future partnerships, so it’s a good idea to ensure that your business remains SOC 2 compliant.

Who must comply with SOC 2?

Organizations that work in service and either process or store sensitive client data should consider a SOC 2 audit and maintain compliance.

Because SOC 2 has been largely accepted as an important part of the United States standard for information security, the number of companies being asked to undergo a SOC 2 audit and remain SOC 2 compliant continues to grow on an annual basis.

What is a SOC 2 audit?

A SOC 2 audit report offers in-depth information about how well a service organization is meeting the five SOC 2 sets of standards: confidentiality, security, processing integrity, privacy controls, and availability.

The audit should be performed by a licensed CPA firm, or if a third-party company that isn’t CPA licensed is performing the audit, they must have a CPA firm sign-off on the audit after it’s completed.

How do I become SOC 2 compliant?

If you’re interested in your business becoming SOC 2 compliant, you’ll need to hire a third-party auditor to visit your business and perform a SOC 2 audit.

A useful first step towards getting SOC 2 compliant is signing up to use the MedStack platform for your business, since we take steps to ensure the SOC 2 compliance process goes as smoothly as possible for your company.

How can MedStack help with SOC 2 compliance?

Annual Report

MedStack does an annual Type 2 SOC 2 report, which covers our entire platform. We achieved Type 1 compliance in January of 2020, and Type 2 compliance in September of 2020.

Inheritable Security Controls

The security controls referenced in our SOC 2 reports are inheritable by our customers, which means that anyone using the MedStack platform for their business will be SOC 2 compliant.

Day 1 Evidence

For companies that need to become SOC 2 compliant across their own business, 70% of the controls necessary for SOC 2 compliance are already complete by running on the MedStack platform. We can provide evidence of that level of compliance on day one.

Save Costs and Time

For the remainder, companies require an auditor to fulfill the remaining requirements for full SOC 2 compliance (i.e., site visit, personnel and administrative requirements, etc.), which would still result in being able to become fully SOC 2 compliant at a fifth of the cost and time.

Learn how our platform can help you become
SOC 2 compliant

We are the only platform that brings together compliance, security assessment responses, threat protection, and audit readiness into a complete offering, ensuring your application runs and manages data in the cloud with the highest privacy and security standards in mind.

Ready to join our MedStack community

Get in touch today to learn more about how MedStack can help you become SOC 2 compliant.

Learn More

Check out a few of our resources to learn more about SOC 2.

Subscribe to our Mailing List