Skip to main content

Security & Regulatory Compliance

This page summarizes how we protect data and meet healthcare and regulatory expectations. It is written for a general audience and highlights the key safeguards you can expect.

1. Compliance Frameworks

1.1 SOC 2 Type II (Certified)

We are SOC 2 Type II certified, which means an independent auditor has verified that our controls operate effectively over time.

  • What it covers: Security, availability, confidentiality, processing integrity, and privacy.
  • What it means for you: You can expect consistent, audited controls for how we protect data.
  • How we maintain it:
    • Documented security policies and control mapping.
    • Continuous monitoring and alerting (SIEM).
    • Defined incident response process with clear responsibilities.
    • Annual independent audits; report available under NDA upon request.

1.2 HIPAA (U.S. Healthcare Privacy)

HIPAA sets the baseline for protecting Protected Health Information (PHI).

  • What it covers: Privacy, security safeguards, and breach notification requirements.
  • What it means for you: Your PHI is handled with strict access controls, encryption, and monitoring.
  • Key safeguards we use:
    • Encryption for PHI at rest (AES-256) and in transit (TLS 1.2+).
    • Role-based access control (RBAC) and least-privilege access.
    • Regular risk assessments and staff security training.

1.3 21 CFR Part 11 (Electronic Records & Signatures)

This FDA regulation governs electronic records and signatures for clinical and medical device use.

  • What it covers: System validation, audit trails, and secure electronic signatures.
  • What it means for you: Records are tamper-evident and traceable.
  • Key safeguards we use:
    • Immutable, time-stamped audit logs.
    • Formal software validation and change control.
    • Multi-factor authentication (MFA) for sensitive access.

2. Summary of Controls & Certifications

StandardStatusReview CadenceExamples of Controls
SOC 2 Type IICertifiedAnnualMonitoring, incident response, policies
HIPAACompliant programAnnualEncryption, access control, logging, training
21 CFR Part 11Validated processesAnnualAudit trails, electronic signatures, validation

3. Continuous Improvement

  • Regular Audits & Assessments: Third-party audits and internal reviews validate our controls.
  • Security Roadmap: Continuous improvements to encryption, identity, and threat detection.
  • Training & Awareness: Quarterly security and compliance training for all employees.
  • Maintenance/Change Window (EST): 12:00 AM – 4:00 AM (Sunday)

4. Contact & Documentation

  • Request Full Reports:
    • SOC 2 Type II Audit Report (available under NDA)
    • HIPAA Security Risk Assessment summary
    • 21 CFR Part 11 Risk Assessment summary

For any questions or requests for additional documentation, please reach out to Kerrick Cavanaugh (kerrick@neuropacs.com)

Last updated: February 11, 2026