SOC 2

Independent verification that our controls protect your data. SOC 2 is the industry standard for SaaS security auditing.

What Is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). A SOC 2 audit evaluates a company’s controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike self-assessments, SOC 2 audits are conducted by independent, licensed CPA firms. The result is a formal report that verifies whether a company’s controls are properly designed and operating effectively.

Why SOC 2 Matters for Healthcare

HIPAA requires safeguards for patient data, but it does not include a formal certification process. SOC 2 fills that gap by providing independent, third-party verification that security controls are in place and working. For healthcare SaaS products, SOC 2 and HIPAA work together to provide comprehensive assurance.

Trust Service Criteria

security Security

The system is protected against unauthorized access. Covers firewalls, intrusion detection, multi-factor authentication, access controls, encryption, and vulnerability management.

schedule Availability

The system is available for operation and use as committed. Covers uptime monitoring, disaster recovery, incident management, and capacity planning. Critical for healthcare scheduling where downtime can impact patient care.

fact_check Processing Integrity

System processing is complete, valid, accurate, and timely. For AI scheduling: appointments are booked accurately, no duplicate or missed bookings, and EHR data syncs correctly.

enhanced_encryption Confidentiality

Information designated as confidential is protected as committed. Covers encryption, restricted access, and secure data disposal. Maps directly to HIPAA requirements for PHI.

privacy_tip Privacy

Personal information is collected, used, retained, disclosed, and disposed of in conformity with privacy commitments. Covers consent, data subject rights, and data minimization.

Our Status

ChiroDesk AI is pursuing SOC 2 Type II certification targeting the Security, Availability, and Confidentiality Trust Service Criteria. All controls are already implemented and operating:

  • AES-256 encryption at rest, TLS 1.3 in transit
  • Role-based access control with multi-factor authentication
  • Comprehensive audit logging and monitoring
  • Annual third-party risk assessments and penetration testing
  • Documented incident response and disaster recovery procedures
  • Employee security training program

Our cloud infrastructure provider maintains SOC 2 Type II certification, ISO 27001 certification, and HIPAA eligibility.

Questions

For questions about our security controls or compliance status, email security@chirodesk.ai.

Request Information

For questions about our SOC 2 status or to request documentation:

Email: security@chirodesk.ai