What is SOC 2 Type 2 Certification?
SOC 2 Type 2 Definition
SOC stands for “system and organization controls,” and the controls are a series of standards designed to help measure how well a given service organization conducts and regulates its information. The purpose of SOC standards is to provide confidence and peace of mind for organizations when they engage third-party vendors. A SOC-certified organization has been audited by an independent certified public accountant who determined the firm has the appropriate SOC safeguards and procedures in place.
More specifically, SOC 2 is designed for service providers storing customer data in the cloud. It requires companies to establish and follow strict information security policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Evariant is committed to providing the highest quality solutions and the safest, most secure environment for your sensitive data. We aim to demonstrate such value with our Service Organization Control (SOC) 2 Type 2 attestation, which transparently details our processes and controls. Learn More.
Common SOC 2 Type 2 Questions
- How is SOC 2 Type 2 Different than Type 1?
While the Type 1 report highlights our policies and procedures for ensuring Trust Factor criteria, the Type 2 process requires a 6 month audit period by a third party. In other words, the SOC2 Type 1 is a point in time measurement of the policies and procedures used to manage the Trust Factors, while SOC2 Type 2 is proving that those policies are followed, with hard evidence, in a 6 month reporting window.
- What Does the SOC 2 Type 2 Audit Examine?
SOC 2 looks at five Trust Factors of secure data processing and storage. Demonstrating proficiency across one of more of these criteria is an attestation to the privacy and security controls:
- Security: the system is protected against unauthorized access, both physical and logical
- Availability: the system is available for operation and use as committed or agreed
- Processing Integrity: system processing is complete, accurate, timely, and authorized
- Confidentiality: information designated as confidential is protected as committed or agreed
- Privacy: personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles (GAPP)
SOC 2 reports can address one or more of the above Trust Factors. While there is not a checklist to identify which Trust Factors should be in scope, Evariant felt Security was the most important/notable area for focus, as many foundational areas of the other four Trust Factors are represented, and thus included it in our most current review.
- What Does SOC 2 Type 2 Compliance Mean for Evariant Customers?
SOC 2 Type 2 compliance assures our customers that we have best-in-class safeguards and procedures in place to ensure the security of their information. With over 1,000 hospitals leveraging the actionable intelligence provided by our Patients for Life Platform to drive high-value service line growth, extend patient lifetime value, and improve provider network utilization and planning, SOC 2 Type 2 compliance demonstrates that Evariant’s security policies, measures, and procedures rigorously protect the consumer and patient data managed by the Evariant Patients for Life Platform.