SortSpoke achieves SOC 2 Type 2 certification

We're proud to announce that SortSpoke has achieved SOC 2 Type 2 certification, validating that our platform meets enterprise-grade security standards for protecting sensitive customer data. This certification represents our commitment to transparency, trust, and the rigorous security practices that insurance organizations demand.

At SortSpoke, safeguarding our customers' data isn't just something we talk about—it's the foundation of everything we do. We know that in today's threat landscape, security isn't negotiable. Insurance carriers, MGAs, and BPOs handle sensitive underwriting data, applicant information, and operational submissions. They need partners they can trust completely. Our human-in-the-loop AI approach is built with security and auditability at its core. That's why we undergo regular third-party audits to prove our security practices are real, not just promised.

Why SOC 2 Type 2 Matters

If you're evaluating document processing solutions for your insurance operation, you've probably seen SOC 2 mentioned in procurement requirements. But what does it actually mean, and why does it matter?

SOC 2 (System and Organization Control 2) is an audit standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how effectively cloud-based service providers like SortSpoke safeguard sensitive data. Unlike SOC 2 Type 1 (a point-in-time assessment), SOC 2 Type 2 validates that security controls are not just designed well, but are actually operating effectively over an extended audit period—typically six to twelve months. In other words, we're not just promising good security; we've proven it works over time.

SOC 2 Type 2 assesses organizations against five Trust Services Principles: security, availability, processing integrity, confidentiality, and privacy. For insurance, this is critical. Your document processing platform needs to keep data secure, stay available when you need it, process information with integrity, keep confidential information actually confidential, and respect privacy requirements. SOC 2 Type 2 independently verifies all of these.

Why We Pursued SOC 2 Type 2 Certification

Simply put: our customers required it. As we scaled SortSpoke across the insurance industry, we worked with enterprise carriers and MGAs whose procurement teams had one non-negotiable requirement—SOC 2 Type 2 certification. These organizations were handling mission-critical submissions and sensitive underwriting data. They needed third-party validation that their technology partners met enterprise security standards.

Beyond compliance checkboxes, we pursued SOC 2 because it aligns with our core values. Our human-in-the-loop AI approach is built on transparency and auditability. We don't hide how data flows through our system; we make every extraction traceable and reviewable. SOC 2 Type 2 certification reinforces that commitment—it's independent proof that we do what we say we do.

The Path to SOC 2 Type 2

Achieving SOC 2 Type 2 required more than one audit. The process involved multiple stages of assessment and validation:

• Type 1 Foundation: We first achieved SOC 2 Type 1 certification, which provided a point-in-time assessment of our security controls. But we didn't stop there.
• Extended Audit Period: For Type 2, we needed to demonstrate that those controls operated effectively over an extended period. This meant undergoing a continuous audit where independent auditors reviewed our systems, processes, and operational practices over months.
• Comprehensive Assessment: The audit covered our entire platform and infrastructure: how we encrypt data in transit and at rest, how we control access to systems, how we log and monitor all activity, how we respond to security incidents, and how we manage employee access and training.
• Real-World Validation: The audit period gave auditors visibility into how our controls operated under real conditions—not just in a controlled test environment. This is what makes Type 2 more valuable than Type 1.
• Certification Achievement: After an extended audit period, we received our SOC 2 Type 2 certification, validating that our security controls are both well-designed and effectively operating.

What SOC 2 Type 2 Covers

Our SOC 2 Type 2 certification validates our controls across the five Trust Services Principles, with specific focus on security and availability—the areas most critical to insurance operations.

• Security: We have implemented controls to protect against unauthorized access to systems and data. This includes encryption of data in transit and at rest, role-based access controls, multi-factor authentication, and continuous monitoring for suspicious activity.
• Availability: We have controls in place to ensure SortSpoke remains available when you need it. This includes redundant infrastructure, backup systems, disaster recovery procedures, and monitoring to detect and respond to outages.
• Processing Integrity: We ensure that data is processed completely, accurately, and in a timely manner. Our controls validate data quality throughout the extraction and validation workflow.
• Confidentiality: We protect sensitive information from unauthorized access. This includes data segregation, encryption, and access controls that ensure only authorized personnel can access customer data.
• Privacy: We respect and protect personal information in accordance with applicable privacy laws and regulations. This includes policies for how data is collected, used, retained, and deleted.

For insurance operations specifically, these controls mean you can process submissions and extract sensitive underwriting data with confidence that enterprise-grade security is built into every layer of the platform.

What This Means for Your Organization

If you're an insurance carrier, MGA, or BPO evaluating document processing solutions, SOC 2 Type 2 certification changes what's possible. It means you can check the security box in your procurement requirements—but more importantly, it means you're working with a partner whose security practices have been independently validated.

In practical terms, SOC 2 Type 2 compliance means your IT and security teams can move forward with SortSpoke without needing to layer on additional security infrastructure or conduct extensive security assessments. The heavy lifting has been done. You can focus on what matters: improving underwriter productivity and scaling your submission processing.

For larger carriers and MGAs with strict vendor security requirements, SOC 2 Type 2 certification often opens doors that would otherwise remain closed. Your procurement team can approve the partnership faster. Your IT team can integrate SortSpoke into your tech stack with confidence. Beyond regulatory compliance, SOC 2 Type 2 demonstrates our operational maturity. We're not a startup with security as an afterthought. We're a platform built from the ground up with security embedded in our architecture, our processes, and our culture. Combined with our HIPAA compliance, SortSpoke now meets the security requirements of the broadest range of insurance operations—from general carriers to health insurers to healthcare-focused MGAs.

An Ongoing Commitment to Security

SOC 2 Type 2 certification isn't a one-time achievement. It's an ongoing commitment. We conduct regular security assessments, vulnerability testing, and penetration testing. We update our security practices as threats evolve and new best practices emerge. Our team stays current on security developments, and we're committed to maintaining our certification and continuously improving our security posture.

For insurance organizations, this ongoing commitment means you can trust that SortSpoke will continue to meet and exceed the security standards you require, even as the threat landscape changes.