When a patient calls your clinic, books an appointment, or sends a message through your patient portal, they're trusting you with something valuable: their personal health information. Your clinical systems earn that trust through regulation, audits, and professional obligation.
But what about the software platforms sitting between your team and your patients? The tools handling appointment reminders, inbound messages, phone calls, and workflow automation… are they held to the same standard?
This is where SOC 2 compliance matters. And it's why Heron has achieved SOC 2 certification, a rigorous, independent audit of how we handle, protect, and manage your clinic's data.
In this post, we'll explain exactly what SOC 2 means, why it matters when evaluating healthcare software, and what questions every clinic should be asking their technology vendors.
What You'll Learn
What SOC 2 compliance is and what the audit actually tests
Why it matters specifically for patient communication software
The questions to ask any software vendor about data security
What Heron's SOC 2 certification means for your clinic
Why Data Security Is a Clinical Responsibility — Not Just an IT One
Most clinic owners and practice managers think about data security in terms of their PMS (practice management system). If MedTech or Gensolve is compliant, the job is done, right?
Not quite.
Your PMS is one piece of a much larger data ecosystem. Every tool your clinic uses — appointment reminder platforms, patient messaging systems, unified inboxes, phone management software — touches patient information in some form. A patient's name, date of birth, phone number, appointment time, and health status may all pass through these systems in a single day.
The risk isn't just in your core clinical records. It's in the connective tissue.
Under New Zealand's Privacy Act 2020, your clinic is responsible for how patient information is handled, including by third-party software providers acting on your behalf. If a vendor you use suffers a data breach or mishandles information, your clinic shares accountability.
This means choosing software with verifiable security credentials isn't optional. It's part of practising responsibly.
What SOC 2 Compliance Actually Means
SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It's widely recognised as the gold standard for evaluating how software companies manage data security, availability, and confidentiality.
Unlike self-reported security claims, SOC 2 requires an independent third-party audit. An external auditor reviews a company's systems, processes, and controls against five Trust Services Criteria:
Criteria | What It Tests |
|---|---|
Security | Is the system protected against unauthorised access? |
Availability | Is the system reliably accessible when you need it? |
Processing Integrity | Does the system process data accurately and completely? |
Confidentiality | Is confidential information protected appropriately? |
Privacy | Is personal information handled in accordance with privacy commitments? |
Not every company pursues all five. The minimum standard, and what most enterprise clients require, is the Security criteria, also called SOC 2 Type II.
SOC 2 Type I vs Type II: What's the Difference?
There are two versions of SOC 2 certification:
Type I — a point-in-time assessment. The auditor confirms that security controls are designed correctly at a specific moment.
Type II — a period-based assessment, typically covering 6–12 months. The auditor confirms that controls are not just designed correctly, but that they actually worked consistently over time.
Type II is substantially more rigorous. It's the version that matters for long-term vendor relationships, because it demonstrates sustained operational discipline — not just a well-prepared audit moment.
What Gets Tested in a SOC 2 Audit
To understand why SOC 2 is meaningful, it helps to know what auditors actually examine. A SOC 2 audit for a healthcare software company typically reviews:
Access controls — who can access which systems, how that access is granted, and how it's revoked when someone leaves
Encryption — how data is encrypted in transit (when moving between systems) and at rest (when stored)
Incident response — what happens when something goes wrong, and how quickly and accurately the company responds
Change management — how code changes and system updates are tested and deployed without introducing security vulnerabilities
Vendor management — whether the company's own third-party dependencies are also held to security standards
Monitoring and logging — whether suspicious activity is detected and recorded
For a clinic, this translates directly: when you send a patient reminder, does that message travel securely? When your team logs into the platform, is access properly controlled? If something goes wrong, does the vendor have a documented, tested response?
SOC 2 doesn't just ask these questions, it requires evidence that the answers are actually yes.
What Heron's SOC 2 Certification Means for Your Clinic
Heron is an all-in-one patient communications and workflow platform. Every day, Heron handles appointment reminders, inbound patient messages, call summaries, and workflow automations for clinics across NZ and APAC.
That means Heron sits in the data flow of your clinic and we take that seriously.
Achieving SOC 2 compliance means Heron has passed an independent audit confirming that our security controls, data handling processes, and operational practices meet the standard required to handle sensitive information responsibly.
For your clinic, this means:
Your patient data is handled with independently verified controls, not just our word for it
Access to your clinic's information is appropriately controlled and monitored
Our infrastructure and processes are designed and tested to protect against unauthorised access
You have documented evidence of our security posture, something you can present to your own governance or compliance processes
We've also ensured Heron's integrations with PMS platforms like MedTech, Elixir, and Gensolve are built with the same security standards in mind, so the connection between your clinical record and your communications layer doesn't create a vulnerability.
The Questions Every Clinic Should Ask Their Software Vendors
SOC 2 is one credential. But it's a good lens for a broader conversation with any software vendor your clinic relies on. Here are the questions worth asking:
1. Do you have a current SOC 2 report, and can you share it? Any reputable vendor should be able to provide a SOC 2 report or at minimum confirm their certification status. Reluctance here is a red flag.
2. Is it Type I or Type II? Type II indicates sustained, ongoing compliance, not a one-time snapshot.
3. How is patient data encrypted, both in transit and at rest? Look for TLS 1.2 or higher in transit, and AES-256 encryption at rest as baseline answers.
4. Where is data stored, and is it subject to NZ/AU privacy law? Data stored offshore may be subject to foreign jurisdictions. Understand where your data sits.
5. What is your incident response process? If there's a breach or security event, how quickly will you notify us, and what's the remediation path?
6. Do you conduct regular penetration testing? Independent pen tests go beyond compliance frameworks to actively probe for vulnerabilities.
A vendor who can answer these questions clearly, with documentation, is one who takes your clinic's trust seriously.
Choosing Software Your Clinic Can Actually Trust
The healthcare software market is full of products that will promise you security. Fewer can prove it.
SOC 2 compliance is a meaningful signal; not because it guarantees perfection, but because it demonstrates that a company has subjected itself to independent scrutiny, maintains documented processes, and takes the responsibility of handling sensitive data seriously.
For clinics navigating the Privacy Act 2020, increasing patient expectations around data handling, and growing reliance on digital communications tools, this matters. Choosing SOC 2 compliant healthcare software is one concrete way to reduce the risk your clinic carries when it adopts new technology.
Heron's certification is part of a broader commitment: to be a platform that your clinical team, your patients, and your governance processes can rely on.
Ready to see how Heron works, and what our security posture looks like in practice? Book a Free Demo.
Frequently Asked Questions
What is SOC 2 compliance in healthcare software?
SOC 2 (System and Organisation Controls 2) is an independent auditing standard that evaluates how software companies protect data. For healthcare software, it confirms that security controls, data handling processes, and access management meet a verified standard — providing clinics with documented evidence that a vendor handles patient information responsibly.
Is SOC 2 required for healthcare software in New Zealand?
SOC 2 is not legally mandated in New Zealand, but it aligns directly with obligations under the Privacy Act 2020. Clinics are responsible for how patient data is handled by third-party vendors. Choosing SOC 2 compliant software is a practical way to demonstrate due diligence and reduce the risk associated with third-party data handling.
What's the difference between SOC 2 Type I and Type II?
SOC 2 Type I is a point-in-time assessment confirming controls are designed correctly. SOC 2 Type II is a period-based audit (typically 6–12 months) confirming that controls worked consistently over time. Type II is the more rigorous and meaningful credential for ongoing vendor relationships.
Does Heron store patient data, and how is it protected?
Heron processes patient communications data, including appointment details, messages, and contact information, as part of its platform. Heron's SOC 2 certification confirms that this data is subject to independently audited security controls, including access management, encryption standards, and incident response processes.
What should clinics look for when evaluating the security of a patient communication platform?
Look for SOC 2 Type II certification, data encryption both in transit and at rest, clear documentation of where data is stored and under which jurisdiction, a documented incident response process, and a vendor who is transparent and responsive when asked security questions directly.
