Announcing Osmos' SOC 2 Type II & HIPAA Compliance

Continuing our Commitment to Data Security

Security has been top priority since before the first line of code was ever written at Osmos. After a rigorous evaluation over the last 12 months, we received our SOC 2 Type II attestation with zero exceptions, proving Osmos’ continued adherence to security.

Osmos Achieves SOC 2 Type II Compliance

SOC 2 is an auditing measure developed by the American Institute of CPAs (AICPA) that ensures service providers securely manage user data. SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on an organization’s non-financial reporting controls based on 5 "trust service principles": security, availability, processing integrity, confidentiality, and privacy.

SOC 2 compliance is broken down into two types, I and II. SOC 2 Type I reviews the suitability of an organization’s controls at a fixed date in time. SOC 2 Type II reviews the suitability of an organization’s controls over a period of time (several months); this provides concrete proof that the controls outlined in Type I have been implemented correctly and are being continuously adhered to.

Now, we’re continuing our longstanding commitment to security with the addition of our SOC 2 Type II report, an internal controls report capturing how our company safeguards customer data worldwide and how well those controls are operating.

An independent auditor, Prescient Assurance, conducted an audit of our servers and systems verifying that our information security practices, policies, procedures, and operations meet the rigorous SOC 2 standards. Additionally, this audit confirmed that our platform is protected against unauthorized physical and logical access.

Thanks to company-wide contributions from the Osmos team, we are proud to announce that we've achieved compliance and received an Auditor’s Report, outlining how our policies, procedures, controls, and infrastructure meet or exceed the SOC 2 Type II requirements.

Furthering our Commitment with HIPAA Compliance

HIPAA stands for Health and Insurance Portability and Accountability Act of 1996 and is a US Public US Law that requires the adoption of national standards for proper appropriate and secure handling of electronic health data. In other words, healthcare providers in the US must conform to the HIPAA standards that ensure they process protected health data in a responsible, private and secure manner.

HIPAA was enacted to standardize the flow of healthcare information and protect personally identifiable information—referred to in the law as “Protected Health Information” (PHI)—from theft and fraud.

Now that Osmos is HIPAA-complaint, we are capable of better serving the needs of healthcare providers and any company or organization that deals with protected health information. Osmos can enter into a Business Associate Agreement (BAA) with customers who require it or wish to use protected health information (PHI) with our platform. With this milestone, we hope to enable even more healthcare customers to innovate faster and improve care for patients.

What This Means for Our Customers

The work doesn’t stop with this certification. Security, privacy, and confidentiality will continue to be part of our core priorities that we incorporate at every step of our product development and implementation processes as well as with our employee protocol. 

We ask our customers and partners to continue to hold us accountable to our claims around security, performance, and availability. Learn more about our commitment to enterprise security and privacy.

For customers interested in receiving a copy of the SOC 2 Type II report or enter into a Business Associate Agreement (BAA), please reach out to security@osmos.io.