SOC 2 Compliance Automation Software for Digital Healthcare

Learn about SOC 2

SOC 2 is a compliance standard (not a certification) that specifies how companies should manage general customer data. SOC 2 guidelines are built on five sets of standards.


Frequently Asked Questions

SOC 2 (Service Organization Control) is the standard of the AICPA that is widely considered the benchmark for trust in the cloud industry.


Confidential information is protected.

Personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies. Unlike the confidentiality section, the privacy section only applies to personal information.

Your information and systems are available for operation and use.

Processing integrity
System processing is complete, valid, timely, authorized, and accurate. Throughout the course of data processing, customer data remains correct.

Your systems and the data you store are protected against unauthorized disclosure and unauthorized access.

There are two types of SOC 2 compliance – Type 1 and Type 2.

Type 1 is point in time, whereas Type 2 is assessed over a period of time, and therefore more difficult to achieve.


Demonstrating that you’re SOC 2 compliant is important because it demonstrates that your company has adequate, effective controls in place to govern how information is handled within the business.

This is a more reliable process than simply giving your word to enterprise clients that you have sufficient security protocols in place to protect sensitive general data, since a SOC 2 audit has specific requirements and is performed by an independent third-party auditor.

In turn, this adds tangible credibility to the security features that your company has in place.

SOC 2 is a voluntary compliance standard, however that doesn’t mean your company won’t need it.

Some enterprise clients that deal with large volumes of data may require partnering companies to remain SOC 2 compliant, in order to ensure every possible protection is in place to secure their confidential data and prevent data leaks.

It may be a mandatory requirement for future partnerships, so it’s a good idea to ensure that your business remains SOC 2 compliant.

Organizations that work in service and either process or store sensitive client data should consider a SOC 2 audit and maintain compliance.

Because SOC 2 has been largely accepted as an important part of the United States standard for information security, the number of companies being asked to undergo a SOC 2 assessment and remain SOC 2 compliant continues to grow on an annual basis.

A SOC 2 audit report offers in-depth information about how well a service organization is meeting the five SOC 2 sets of standards: confidentiality, security, processing integrity, privacy controls, and availability.

The audit should be performed by a licensed CPA firm, or if a third-party company that isn’t CPA licensed is performing the audit, they must have a CPA firm sign-off on the audit after it’s completed.

If you’re interested in your business becoming SOC 2 compliant, you’ll need to hire a third-party auditor to visit your business and perform a SOC 2 audit.

A useful first step towards getting SOC 2 compliant is signing up to use the MedStack platform for your business, since we take steps to ensure the SOC 2 compliance process goes as smoothly as possible for your company.

How can MedStack help with compliance ?

Annual Report

MedStack does an annual Type 2 SOC 2 report, which covers our entire platform. We achieved Type 1 compliance in January of 2020, and Type 2 compliance in September of 2020.


Inheritable Security Controls

The security controls referenced in our SOC 2 reports are inheritable by our customers, which means that anyone using the MedStack platform for their business will be SOC 2 compliant.


Day 1 Evidence

For companies that need to become SOC 2 compliant across their own business, 70% of the controls necessary for SOC 2 compliance are already complete by running on the MedStack platform. We can provide evidence of that level of compliance on day one.

Save Costs and Time

For the remainder, companies require an auditor to fulfill the remaining requirements for full SOC 2 compliance (i.e., site visit, personnel and administrative requirements, etc.), which would still result in achieving full SOC 2 compliance at a fifth of the cost and time.

Learn how our platform can help you become SOC 2 compliant

We are the only platform that brings together compliance, security assessment responses, threat protection, and audit readiness into a complete offering, ensuring your application runs and manages data in the cloud with the highest privacy and security standards in mind.

Ready to join our MedStack Community ?

Book a demo today and see how easy it is to get started with MedStack.

Learn More

Check out a few of our resources to learn more about SOC 2.

Stack Your
Inbox with 
MedStack ―

Get added value, medical security updates and MedStack’s latest releases right in your inbox.