Salt la continutul principal

SOC 2 Trust Service Criteria

Overview

SOC 2 is an AICPA-defined auditing framework for service organizations, structured around five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.

vitalera implements security, availability, and confidentiality controls aligned with the SOC 2 Trust Service Criteria. These controls are independently audited and certified under our ISO/IEC 27001:2022 Information Security Management System, which shares substantial overlap with the SOC 2 TSC framework.

Current state

Transparent positioning

vitalera does not currently publish a SOC 2 Type I or Type II attestation report.

The underlying security controls required by SOC 2 are implemented, operated, and externally audited under ISO 27001:2022 — a framework that, while issued by a different standards body (ISO), covers substantially the same control domains as SOC 2 and is more widely recognized internationally, particularly in the EU healthcare market that vitalera primarily serves.

Enterprise customers who require SOC 2 documentation for their internal vendor review process can request one of the options below.

What enterprise customers can request

Contact legal@vitalera.io or your account manager to receive any of the following as part of a security review:

DocumentDescription
ISO 27001:2022 certificateCurrent certificate issued by our accredited certification body, including the scope statement and certification validity dates
Statement of Applicability (SoA)Annex A controls applied to vitalera, with implementation notes
SOC 2 / ISO 27001 controls mappingDocument mapping the five SOC 2 Trust Service Criteria to the ISO 27001 Annex A controls implemented by vitalera
Penetration test summaryHigh-level results of the most recent independent penetration test
Architecture and data flow documentationNetwork diagrams, data residency details, encryption architecture, and third-party data processors
Security questionnaire responseCompleted responses to common vendor security questionnaires (CAIQ, SIG, VSA)

All documents are shared under a mutual NDA as part of the enterprise sales process.

Trust Service Criteria coverage

The five SOC 2 Trust Service Criteria and how vitalera addresses each:

Security (Common Criteria — required for all SOC 2 reports)

Covered through ISO 27001:2022 Annex A controls for information security policies, access control, cryptography, physical security, operations security, communications security, system acquisition, supplier relationships, incident management, and business continuity. See the ISO 27001 and Data Security pages for details.

Availability

  • Multi-AZ deployment on AWS eu-west-1 with automated failover
  • Daily backups with point-in-time recovery
  • Documented disaster recovery runbooks with tested RTO and RPO targets
  • Continuous monitoring and alerting for availability metrics

Confidentiality

  • AES-256 encryption at rest, TLS 1.2+ in transit
  • Role-based access control with least-privilege enforcement
  • Network isolation via AWS VPC
  • Encrypted managed databases and object storage
  • Data classification and handling policies covering PHI, PII, and customer data

Processing Integrity

  • Input validation at the API boundary (FHIR R5 schema enforcement)
  • Database-level integrity constraints and cryptographic audit logs
  • Structured error handling and idempotency for webhook delivery
  • Automated testing and change management for all production deployments

Privacy

  • GDPR compliance for EU personal data
  • HIPAA Business Associate safeguards for US PHI
  • Documented data subject rights workflows
  • Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs) available

Why ISO 27001 works for SOC 2 reviews

For customers whose procurement process asks for "SOC 2 or equivalent," ISO 27001:2022 is the most widely accepted equivalent:

  • Scope: ISO 27001's 93 Annex A controls cover the same domains as SOC 2 Common Criteria
  • Audit: Annual surveillance audits and triennial recertification by an accredited body
  • Independence: Performed by a third-party ISO certification body, not a self-assessment
  • International recognition: Required by many non-US enterprises and healthcare systems

If your procurement process strictly requires a SOC 2 Type II report and does not accept ISO 27001 as an alternative, contact legal@vitalera.io to discuss scheduling a SOC 2 audit as part of the enterprise contract.

  • ISO 27001 — Primary security certification and SOC 2 equivalent
  • HIPAA — US healthcare Business Associate safeguards
  • GDPR — EU personal data protection
  • Data Security — Technical security architecture overview

Contact

For security reviews, SOC 2 controls mapping, or enterprise compliance documentation, contact legal@vitalera.io.