Welld Health places data security at the core of our mission. After all, your patients and participants demand assurances that the data you collect is protected.
Data security is a diffuse and complex concept. Part technical, part managerial, it can be hard to assess. This is why standards like the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (“SOC” for short) for Service Organization reports have become popular in the last few years.
A SOC report is completed by an independent third-party CPA auditor and provides insight into how a service organization (such as a cloud vendor) achieves key security and compliance objectives.
Welld Health has achieved SOC 2 Type 2 compliance for the security and availability Trust Service Principles.
SOC 2 is a widely-used framework for building trust between vendors (called “service organizations”) and customers (called “user entities”). CPAs have been doing audits relating to controls over financial reporting for decades, all the way back to a standard called SAP No. 29 in the 1950s. In 1992, a standard called SAS 70 introduced the concept of service organizations, which was used for years and gained importance post-Enron and post-Sarbanes Oxley. These standards still focused on internal control over financial reporting, however, not security. With the rise of cloud computing, the AICPA saw the need for a security-specific framework, and in 2010 introduced their new Statement on Standards for Attestation Engagements No. 16 (SSAE 16). SSAE 16 introduced SOC 1, SOC 2 and SOC 3, with SOC 1 replacing SAS 70.1
Today, SOC 2 Type 2 reports are one of the most requested forms of assurance from cloud-based tech companies who handle sensitive data. While HIPAA mandates that PHI is kept secure, SOC 2 audits provide objective assurance (to both end users and B2B customers) that the necessary practices to achieve data security are in place.
SOC 2 (and SOC 1) reports come in two flavors, Type 1 and Type 2.
A Type 1 report is a point-in-time snapshot where a CPA looks at management’s description of the service organization’s system (e.g. your security management program) and renders an opinion on 1) whether that description is fairly presented, and 2) whether the controls you have in place are suitably designed to meet your control objectives. Type 1 reports are useful if you want to get your auditor familiar with your chosen controls, or if your system or control scheme has changed significantly.
A Type 2 is the good stuff your customers want: It includes the Type 1 subject matter plus an opinion on the operating effectiveness of the controls in place over a specific “review” period (typically 6 months or a year). The Type 2 report also contains details about how the auditor examined each control and what they tested. This level of granularity is why the framework is so popular.
Under AICPA rules, SOC 2 reports are only for management, customers, and other key stakeholders. As such, it’s not publically available—but naturally we’re eager to share it with our customers and partners.
If you’d like to get a copy of our report, contact Welld Health today at info@welldhealth.com.