SOC 2 Type II
Service Organization Control 2 Trust Services Framework
Overview
SOC 2 is an auditing framework developed by AICPA for service organizations. It demonstrates controls over data security, availability, processing integrity, confidentiality, and privacy.
Type II evaluates whether controls operated effectively over a period (typically 6-12 months).
Why SOC 2 for VitaraVox
| Benefit |
Description |
| Enterprise sales |
Required by larger clinic networks |
| Trust |
Third-party validation of security |
| Competitive |
Differentiator in healthcare SaaS |
| Risk reduction |
Systematic control framework |
Trust Services Criteria
Security (Common Criteria)
The system is protected against unauthorized access.
| Control |
VitaraVox Implementation |
Status |
| CC1.1 - Integrity and ethical values |
Code of conduct |
⬜ Planned |
| CC2.1 - Security policies |
Security policy document |
⚠️ Needs formalization |
| CC3.1 - Risk assessment |
Risk register |
⚠️ Needs formalization |
| CC4.1 - Monitoring activities |
Log review, alerting |
⚠️ Needs formalization |
| CC5.1 - Logical access controls |
RBAC, API keys |
✅ Implemented |
| CC6.1 - Encryption |
TLS 1.2+, AES-256 |
✅ Implemented |
| CC7.1 - Vulnerability management |
Trivy scanning |
⬜ Planned |
| CC8.1 - Incident response |
Breach procedure |
⚠️ Needs formalization |
| CC9.1 - Change management |
Deployment process |
✅ Implemented |
Availability
The system is available for operation as agreed.
| Control |
VitaraVox Implementation |
Status |
| A1.1 - Capacity planning |
Resource monitoring |
⚠️ Needs formalization |
| A1.2 - Disaster recovery |
Backup procedures |
⚠️ Needs testing |
| A1.3 - Recovery testing |
DR test schedule |
⬜ Planned |
Processing Integrity
System processing is complete, valid, accurate, timely.
| Control |
VitaraVox Implementation |
Status |
| PI1.1 - Input validation |
API validation |
✅ Implemented |
| PI1.2 - Processing controls |
Audit logging |
✅ Implemented |
| PI1.3 - Output review |
N/A (API responses) |
✅ N/A |
Confidentiality
Confidential information is protected.
| Control |
VitaraVox Implementation |
Status |
| C1.1 - Information classification |
Data classification |
⚠️ Needs documentation |
| C1.2 - Confidential data protection |
Encryption, access controls |
✅ Implemented |
Privacy
Personal information is collected, used, retained, disclosed appropriately.
| Control |
VitaraVox Implementation |
Status |
| P1.1 - Privacy notice |
Privacy policy |
⚠️ Needs update |
| P2.1 - Consent |
Voice consent flow |
✅ Implemented |
| P3.1 - Collection limitation |
Minimal data |
✅ Implemented |
| P4.1 - Use limitation |
Scheduling only |
✅ Implemented |
| P5.1 - Retention |
Retention schedule |
⚠️ Needs formalization |
| P6.1 - Access requests |
Access procedure |
⚠️ Needs documentation |
| P7.1 - Disclosure limitation |
No third-party sharing |
✅ Implemented |
| P8.1 - Data quality |
Source from OSCAR |
✅ Implemented |
Control Gap Analysis
High Priority (Audit Blockers)
| Gap |
Action Required |
Effort |
| Security policies |
Formalize and document |
2 weeks |
| Risk assessment |
Create risk register |
1 week |
| Incident response plan |
Document procedure |
1 week |
| Privacy policy |
Update for completeness |
1 week |
Medium Priority
| Gap |
Action Required |
Effort |
| Vulnerability scanning |
Implement Trivy |
1 day |
| DR testing |
Conduct and document |
2 days |
| Access reviews |
Quarterly process |
Ongoing |
| Vendor assessments |
Annual process |
Ongoing |
Low Priority (Nice to Have)
| Gap |
Action Required |
Effort |
| Code of conduct |
Create document |
1 day |
| Training program |
Develop materials |
1 week |
| Penetration testing |
Engage vendor |
1 week |
Evidence Collection
Automated Evidence
| Evidence Type |
Source |
Collection |
| Access logs |
NGINX, Node.js |
Automatic |
| Audit logs |
PostgreSQL |
Automatic |
| Change logs |
Git history |
Automatic |
| Health checks |
Docker |
Automatic |
Manual Evidence
| Evidence Type |
Source |
Collection |
| Policy documents |
Confluence/Git |
Quarterly review |
| Risk register |
Spreadsheet |
Quarterly update |
| Access reviews |
Admin UI |
Quarterly |
| Vendor assessments |
Questionnaires |
Annual |
Audit Timeline
Pre-Audit (Month 1-3)
| Activity |
Timeline |
| Gap assessment |
Week 1-2 |
| Remediation planning |
Week 3 |
| Control implementation |
Week 4-10 |
| Documentation |
Week 8-12 |
Observation Period (Month 4-9)
| Activity |
Timeline |
| Controls operating |
6 months |
| Evidence collection |
Continuous |
| Internal audits |
Monthly |
Audit (Month 10-12)
| Activity |
Timeline |
| Auditor selection |
Month 10 |
| Fieldwork |
Month 11 |
| Report issuance |
Month 12 |
Estimated Costs
| Item |
Cost Range |
| SOC 2 Type II audit |
$30,000 - $50,000 |
| Remediation (internal) |
$10,000 - $20,000 |
| Compliance platform (optional) |
$5,000 - $15,000/year |
| Penetration testing |
$5,000 - $15,000 |
| Total Year 1 |
$50,000 - $100,000 |
Recommended Auditors
| Firm |
Notes |
| Prescient Assurance |
Healthcare focus, startup-friendly |
| Johanson Group |
Canada-based, mid-market |
| Moss Adams |
Larger firm, comprehensive |
Action Items
| Priority |
Action |
Owner |
Timeline |
| High |
Complete gap assessment |
Security |
Month 1 |
| High |
Formalize security policies |
Security |
Month 1-2 |
| High |
Create risk register |
Security |
Month 2 |
| Medium |
Implement vulnerability scanning |
Engineering |
Month 2 |
| Medium |
Conduct DR test |
Engineering |
Month 3 |
| Low |
Select auditor |
Leadership |
Month 6 |
Next Steps