We’re proud to share that Clinia has received the SOC2 type II audit report for the second time, marking a major milestone in our ongoing commitment to privacy and security. To help readers better understand what this achievement means, we spoke with members of our Governance, Risk, and Compliance (GRC) team.

What is SOC 2 Type II, in simple terms?

GRC: SOC 2 Type II is a report that shows how a company protects customer data and proves that its security controls actually work. “SOC” stands for Service Organization Control, and the report focuses on security with the option to also include availability, confidentiality, processing integrity, and privacy.

While Type I checks if the right systems are in place at a single moment, Type II tests those controls over several months to confirm they work consistently. In fewer words:

• Type 1 = “You have the right security setup.”

• Type 2 = “You have the right setup, and it works properly in real life over time.”

Why did Clinia decide to pursue this attestation now?

GRC: We chose to pursue SOC 2 Type II as a voluntary step to demonstrate our strong commitment to security and privacy. These principles are part of Clinia’s culture—we build them into everything we do. Because data protection is critical for our customers, this attestation helps us prove that our controls aren’t only well-designed but effective over time.

Who conducted the audit, and what does the process involve?

GRC: A SOC 2 Type II audit is performed by an independent third party. Auditors assess how a company manages access, protects data, and monitors systems. They test these controls over several months to ensure they meet the SOC 2 trust principles of security, availability, confidentiality, and privacy.

Why is SOC 2 Type II important for Clinia and our customers?

GRC: Because Clinia operates in a highly regulated environment and handles sensitive health data, it is especially important. It shows that we meet strict, independently verified standards for data security and privacy. It also supports our privacy and security by design approach—ensuring protections are built into our systems from the start.

Can you give a simple example of what this confirms in practice?

GRC: SOC 2 Type II doesn’t change how we work day-to-day; it confirms that the processes we already follow are strong, consistent, and effective. It shows that we manage access carefully, monitor our systems continuously, and test key controls like password policies, backups, and data encryption at least annually.

Which parts of Clinia’s operations were included in the audit and what kinds of controls or processes were evaluated?

GRC: The SOC 2 Type II audit looked at the controls and processes Clinia uses to protect data and ensure reliable operations in the following areas:

• Security controls – how we prevent unauthorized access to systems and data.

• Availability controls – how we ensure systems operate reliably and remain accessible when needed.

• Confidentiality controls – how we protect sensitive information from unauthorized disclosure.

• Privacy controls – how we handle and protect personal information in line with privacy principles.

Our SOC 2 report covers the trust services criteria (TSC) for Security, Availability, Confidentiality, and Privacy.

Does this affect how clients use Clinia’s platform?

GRC: Not directly. Clients continue to use the platform as before—but now with added confidence that their data is managed in a trusted, well-controlled environment. It also helps clients meet their own compliance and regulatory requirements by partnering with a SOC-aligned provider.

What do we need to do to maintain this compliance?

GRC: Staying SOC 2 Type II compliant means making security and privacy an ongoing part of our daily work. We continue to monitor access, protect data, update policies, and train our teams. Regular audits ensure our controls remain strong and effective.

In your opinion, what was the most challenging part of the audit process?

GRC: The most challenging part of the SOC 2 Type II audit was proving consistency over time—showing that strong controls don’t only exist but work effectively every day for months. It required gathering evidence, tracking activity, and coordinating across teams. At Clinia, this consistency is simply part of how we work everyday; our systems and habits are built with security and privacy in mind, so the proof naturally follows.

Finally, what’s the next step in Clinia’s commitment to privacy and trust?

In the next phase of our compliance program, we are implementing a consolidated enterprise risk management framework. This strategic shift strengthens our alignment with international privacy regulations and ensures the consistent and secure protection of data across our organization and jurisdictions.