Platform | Data Security
SortSpoke provides SOC 2 Type 2 and HIPAA compliant data security.
At SortSpoke, safeguarding our customer's data is the foundation of everything we do. We are focused on maintaining the highest industry standards to protect your data.
Our SOC 2 Type 2 certification demonstrates our ongoing commitment to implementing rigorous controls that protect your sensitive data and ensure the highest standards of security, availability, and confidentiality. Independent auditors test our controls over a 6-12 month period, proving consistent security—not just a point-in-time snapshot.
SortSpoke's HIPAA-compliant infrastructure and processes safeguard protected health information (PHI) throughout the document extraction workflow, enabling health insurance carriers to maintain regulatory compliance while accelerating their underwriting operations. We execute Business Associate Agreements and maintain comprehensive audit trails.
.png?width=705&height=600&name=Website%20Blog%20Images%20(35).png)
All customer data is protected by TLS 1.2+ in-transit and by AES 256 encryption at-rest.
SortSpoke provides high-availability, backups, and auto-scaling out-of-the-box.
We can host your data in your desired region to ensure it remains within a specific country.
By clicking Download Now you're confirming that you agree with our Privacy Policy.
SORTSPOKE SECURITY OVERVIEW
Download our Security Overview to see how SortSpoke protects your data. Get the details on our SOC 2 Type 2 and HIPAA compliance, encryption standards, and enterprise-grade security infrastructure.
.png?width=1545&height=2000&name=SortSpoke%20Security%20Overview%20Cover%20(1).png)
Your data security is our priority—here are answers to common questions about how we protect your sensitive information.
.png?width=1080&height=1090&name=%235%20-%20SortSpoke%20(1).png)
SOC 2 focuses on security, availability, and confidentiality for any type of sensitive data. It's verified through independent audits over 6-12 months.
HIPAA is specific to healthcare data (protected health information/PHI) and is required for health insurance carriers processing medical records, diagnoses, and health information.
SortSpoke maintains both certifications. Learn more about our SOC 2 Type 2 certification and HIPAA compliance.
Generally no—HIPAA applies primarily to health insurance carriers, health plans, and companies processing protected health information (PHI). However, workers' compensation claims often involve medical records, which may trigger HIPAA requirements.
If you process any health insurance submissions, life insurance applications with medical records, or workers' comp claims with diagnoses and treatment information, HIPAA compliance is critical.
Learn more: Why HIPAA Compliance Matters for Insurance Carriers
Yes. We provide our SOC 2 Type 2 audit report to partners and customers under NDA during the procurement process. The report includes detailed information about our security controls, audit findings, and how we address the Trust Service Criteria.
Contact us to request a copy, or learn more about what's in our SOC 2 certification.
Documents are handled according to your specified retention requirements, and you maintain complete ownership at all times. You can export or delete your information whenever needed. All document access and modifications are logged in our audit trails.
For health insurance carriers, we follow HIPAA data destruction protocols and include these requirements in our Business Associate Agreements.
Our human-in-the-loop AI keeps underwriters involved in the validation process, making every extraction decision traceable and auditable. Unlike black-box AI systems, SortSpoke maintains:
SortSpoke works within your existing security perimeter, reducing implementation risks while maintaining compliance.
We've published detailed pages about our certifications and security practices:
Educational Resources:
You can also download our Security Overview or contact our security team with specific questions.
SOC 2 Type 2: We undergo annual audits with continuous monitoring between cycles. Our certification covers a 6-12 month audit period, demonstrating ongoing compliance—not just a point-in-time snapshot.
HIPAA: We maintain continuous compliance through regular risk assessments, policy updates, and workforce training. Our controls are reviewed annually as part of our security program.
When regulatory requirements change or new threats emerge, we update our controls immediately—audits simply confirm these practices are working as intended.
Yes. SortSpoke offers flexible data residency options through AWS infrastructure. We can host your data in your desired region to ensure it remains within a specific country for regulatory compliance.
Common regions include:
Our infrastructure includes:
Contact us to discuss your data residency requirements.
