February 2, 2022
Vineti’s Personalized Therapy Management® (PTM) solution meets rigorous standards: Service Organization Control (SOC®) 2 Type II compliance audit
Here at Vineti, the provider of the leading digital platform of record for personalized therapeutics, we recently announced the successful completion of our Service Organization Control (SOC®) 2 Type II audit.
The independent audit, conducted by a leading third-party SOC2 assessment provider, verifies that Vineti’s cloud-based Personalized Therapy Management® (PTM) Platform meets rigorous standards for data security, privacy, and trust. SOC2 compliance certification is recognized globally for its rigor in the review of the organization’s systems and organizational controls. SOC2 is an independent audit conducted to review the company’s effective implementation of employee controls and training, IT systems and risk management control, product discipline, and vendor selection. SOC2 Type II represents the most comprehensive form of SOC2 certification, as it represents a broad audit, and not a point-in-time assessment.
Here’s a quick look at some of the specifics when it comes to SOC2.
What is SOC2 Type II compliance audit?
A SOC audit is an independent auditing of a service organization’s controls, covering up to five different “trust principles:” security, availability, confidentiality, integrity, and privacy. A Type II audit means that the examination is across a specific time period (Vineti elected a first six-month audit period, and will thereafter be audited annually). Vineti’s SOC 2 covered the Security, Availability, and Privacy trust principles, selected as being the most appropriate to its SaaS services.
Why is SOC2 Type II compliance important?
A SOC 2 report is all but essential for a SaaS provider, as a third-party attestation that it complies with essential practices around security and privacy, and has the necessary administrative and technical controls in place to ensure that it can execute on its commitments to customers.
What does SOC2 compliance mean for Vineti’s customers?
SaaS service customers must conduct due diligence on their vendors, especially those who might hold sensitive information (such as protected health information, PHI) or provide critical services whose disruption would have a significant impact on their own customers. This process of vendor qualification can be time consuming, involving questionnaires, interviews, or even multi-day audits; a SOC2 report is a third-party attestation, by a credible, reputable source, that the company does adhere to its claimed policies and practices. A successful SOC2 audit is strong evidence that a provider does “walk the walk,” and having this certification can greatly reduce the time and labor required to satisfy the customers’ concerns.
How does SOC2 Type II relate to other standards and guidelines?
SOC2 is similar to other certifications, (for example, companies operating primarily in Europe might opt instead for an ISO 27001 certification, covering many of the same controls.) Vineti is using the NIST 800-53 Cybersecurity Framework as its base set of controls and maps those to the SOC2 controls.
What’s next for Vineti in the realm of security and compliance?
Vineti will be annually audited for ongoing SOC2 Type II compliance, but we may elect to pursue additional certifications, where warranted by the services we offer.
Vineti continues to maintain the US-EU and US-Swiss Privacy Shield certification. Vineti also satisfies the requirements of ensuring security and privacy of EU data, as a US company, through standard contractual clauses.
Vineti has also selected its own vendors on the basis of their ability to comply with global legal and regulatory requirements, and ensures that the AWS data centers it uses conform to its end customers’ requirements, such as HDS certification (a French regulatory requirement) for any data center holding data related to French citizens.