System and Organization Controls 2, or SOC 2, is a set of standards and criteria for modern technology companies to follow to ensure proper management of customer data. Developed by the American Institute of CPAs (AICPA), SOC 2 includes five main principles of security, privacy, availability, processing integrity, and confidentiality at its core. In the highly regulated US healthcare industry, achieving SOC 2 compliance is a minimum for any SaaS organization that plans to deal with Protected Health Information (PHI), or customer health data in general.
At Metriport, we made achieving SOC 2 and HIPAA compliance a top priority as soon as we began to work on our open-source universal API for healthcare data. Since we had prospective customers already asking if we were SOC 2 certified, we got the process started as early on in our journey as possible, knowing we'd need to allow time for the mandatory audit that's required as part of achieving SOC 2 compliance. To become SOC 2 certified, an organization must pass the audit from an independent third party, and receive two main types of reports:
While there are fair number of compliance solutions in the space - Drata, Vanta, and Secureframe, to name a few - we decided to go with Vanta, largely due to the fact that they were also a YC company, and that we had only heard positive things about them from fellow companies in our batch.
Working with Vanta was smooth off the bat, as they were able to get us onboarded in just over a week, and offered pricing that was appealing to us as an early stage startup. One thing that we really liked about working with them was that they offered a very user-friendly interface and dashboard that made compliance straightforward and intuitive. Whenever we had a question - whether it was in regards to creating a new policy or satisfying a requirement - we were able to follow the steps that they provided for us, or get a timely response from one of their team members in the event where we needed further explanation. Their team was normally able to answer an email within the same day, and scheduled weekly Zoom calls with us to make sure we were on track to hit our SOC 2 Type I report by our preferred deadline.
Overall, our experience working with Vanta was positive, as their software and customer service were both excellent and headache-free.
Because SOC 2 certification requires an audit from an independent third-party, we weren't able to rely on Vanta alone for achieving SOC 2 compliance. The audit serves as a way to evaluate the organization's systems and processes against AICAP's basic criteria and determines whether they meet the SOC 2 requirements. Thankfully Vanta was able to provide us with a list they put together of independent auditors we could choose from. We went with Prescient Assurance, and were able to get our SOC 2 Type I report from them fairly quickly, since this report was essentially a snapshot of our controls at the time.
After we received our SOC 2 Type I report from Prescient, we worked with them closely over the course of the next 3 months, as they evaluated our controls over that period of time. When it was all said and done, we were left with a handy SOC 2 Type II report that we were able to share with customers, and a badge that we could display to show proof of our official SOC 2 compliance and certification. Hallelujah!
Looking back, we definitely feel like we made the right decisions with who we worked with and how quickly we were able to move through the SOC 2 certification process. One thing we wish we knew in hindsight was that we'd also need to get a pentest done within the first year of compliance - something we didn't know about when we initially started. This is where we think companies like Oneleet will excel in the future, by offering a complete compliance solution that includes pentests and audits as part of a single offering. While we're in a good place with our vendors right now, we definitely won't rule out a switch to an all-in-one type solution down the road.
Got any questions about the SOC 2 process or which vendor to go with? Email us at firstname.lastname@example.org and we'll be happy to offer our advice to help you achieve this necessary milestone.