Spruce Completes SOC 2 Type I Audit
- David Craig, MD
- May 1, 2018
- April 26, 2024
We are thrilled to share some excellent news today: Spruce has completed a System and Organization Controls (SOC) 2 Type I audit examination of our Care Messenger platform.
SOC 2 audits, performed by independent auditors, evaluate whether the safeguards and controls employed by organizations like Spruce are adequate to ensure the protection and security of their clients’ data. For our audit, Spruce retained international business advisory firm Skoda Minotti, based on their reputation as a leading risk advisory and compliance firm, and we have been working diligently with their auditors over the past year to fully describe and document our systems and processes, as they relate to the “trust service principles” that SOC audits investigate.
Skoda Minotti’s testing of Spruce’s controls included examinations of our policies and procedures regarding network connectivity, firewall configurations, systems development life cycle, computer operations, logical access, data transmission, backup and disaster recovery, and other critical operational areas.
Upon completion of the audit, Spruce received a Service Auditor’s Report with an unqualified opinion, which signifies that the independent auditors found our policies, procedures, and infrastructure to meet or exceed the stringent SOC 2 criteria against which they were being assessed.
We’re very proud of this outcome, and we’re elated to be able to share this news with our customers. Securing and protecting your data has always been a top priority for us at Spruce, and we are now able to share third-party-validated assurance of this commitment with our SOC 2 audit result. Download the Spruce SOC 2 certificate of completion.
San Francisco, CA – Spruce Health, Inc., a healthcare technology company, today announced that it has successfully completed a System and Organization Controls (SOC) 2® Type I Audit examination for their Care Messenger System, in conjunction with business advisory and auditing firm Skoda Minotti.
About – Spruce Health, Inc.
Spruce Health is a healthcare technology company that is dedicated to providing solutions that enable modern care to occur outside of face-to-face interactions and the four walls of the medical office. Spruce serves a diverse set of medical organizations, from solo providers through to large multi-site, multi-specialty practice groups, and the company offers advanced solutions in telemedicine, telephony, secure messaging, team collaboration, population management, workflow efficiency, and many other necessary areas and functions of healthcare today.
Spruce’s flagship product is Spruce Care Messenger, a cloud-based application that enables innovative healthcare teams to implement workflows for both in-person and remote care that can increase quality, efficiency, and satisfaction. Care Messenger is available via native mobile applications (both iOS and Android) as well as through a web application, allowing users flexibility in how they use its features. Medical teams using Care Messenger can interact internally, with each other, and also with their patients or other external parties over their choice of a variety of available communication channels, including secure messaging and telemedicine. All communication is treated as part of a unified, chronological medical record, and population management and team collaboration features are overlaid to allow teams to develop high-quality, efficient approaches to serving their patient panels.
About – Skoda Minotti
Skoda Minotti is a Certified Public Accounting Firm based in Cleveland, OH, offering a variety of tax, finance, and business advisory services in virtually every area of business. The Risk Advisory practice specializes in SOC Reporting, PCI DSS Compliance, FISMA, NIST, and other regulatory information security assessments. Staff in Skoda Minotti’s Risk Advisory hold several industry certifications, including Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Qualified Security Assessor (QSA), GIAC Penetration Tester (GPEN), and GIAC Web Application Penetration Tester (GWAPT).