Sayvant Achieves SOC 2 Type 2 Certification

By Justin Mardjuki, CEO

‍

I’m pleased to announce that Sayvant has earned SOC 2 Type 2 certification. Achieving SOC 2 Type 2 demonstrates our ongoing dedication to maintaining a secure, compliant clinical documentation platform that clinicians and their IT teams can trust.

‍

‍

Why SOC 2 Type 2 Matters

Emergency departments and urgent care centers handle some of the most sensitive patient data at extremely high volumes. An independent, third party SOC 2 Type 2 audit verifies that our security controls have been tested over time to meet industry-recognized standards for security, availability, and confidentiality. While the certification itself is important, we see it as just one milestone in a broader commitment to safeguarding healthcare data.

‍

By achieving SOC 2 Type 2—alongside our established HIPAA compliance program—we can assure our partners that our platform is not only performant, but also designed to protect patient privacy, mitigate risks, and maintain reliability. A few of our controls are highlighted below:

‍

1. Strict Access Controls

‍

Clinicians in emergency medicine and urgent care often work within rotating teams, making it crucial to carefully manage who can access patient data at any given time.

‍

We achieve this through a combination of role-based permissions and regular access reviews. Every user in our system is assigned only the level of access absolutely necessary to perform their job—whether that’s reviewing real-time transcripts, making chart edits, or overseeing administrative tasks. Our policy of least privilege helps ensure that unauthorized users, or even internal personnel who don’t need certain information, never see critical patient details. Multi-factor authentication (MFA) is enforced by default to further reduce chances of an attacker gaining access to privileged accounts or the Sayvant system.. 

‍

2. Continuous Monitoring and Logging

‍

Acute care settings function 24/7, and our security posture aligns with around the clock usage of the platform. Our logging infrastructure captures every significant activity—from login attempts and configuration changes to the real-time transcription processes that transform audio input into clinical notes. These logs feed into a central platform, allowing us to spot anomalies, correlate events, and quickly home in on potential threats.

‍

When something looks suspicious, our team follows a defined incident response plan to isolate the issue, investigate the scope, and resolve any vulnerabilities. By actively monitoring our environment in real time, we stay ahead of threats and minimize any impact on patient data or clinical operations.

‍

3. Secure Architecture and Development

‍

Secure architecture is in our DNA. We encrypt data both at rest and in transit, so even if network traffic were intercepted, it would be unreadable to an attacker. Our network architecture is segmented to prevent lateral movement between critical services, further reducing the risk of an isolated incident escalating into a larger breach.

‍

We also follow a secure development lifecycle (SDLC) that includes routine code reviews, automated testing, and vulnerability scanning before any new release. This disciplined approach ensures that enhancements to our AI transcription and chart creation capabilities are vetted from a security standpoint before going live.

‍

‍

Beyond SOC 2: Additional Investments That Set Us Apart

While SOC 2 is an essential checkpoint, we go beyond its requirements to make Sayvant the clear choice for emergency medicine and urgent care clinicians—and for the IT and security teams that support them.

‍

We Do Not Store Encounter Audio

We do not store raw audio. Instead, we transcribe patient-physician encounters in real time and discard the audio as soon as the transcription is complete. This approach eliminates the significant privacy and compliance concerns that come with retaining recorded audio files. By removing this data entirely, we lower your organization’s overall risk profile and ensure that there is no audio-based PHI at rest in our systems.

‍

We Delete Your Data

We automatically delete all patient data from our systems after 72 hours. This policy dramatically reduces medicolegal exposure, since prior records can’t be inadvertently accessed or leaked. It also shrinks the potential attack surface for malicious actors. By holding onto only what’s necessary, we uphold a strict “less is more” philosophy that benefits everyone—clinicians, IT teams, and patients alike.

‍

Your Data, Your Ownership

At Sayvant, we believe in absolute transparency when it comes to data ownership. Your patient data remains fully under your control, and we never train our AI models on your data or share it with any third parties. By keeping patient information separate from our model training pipelines, we maintain clear boundaries around PHI. This approach reinforces patient confidentiality, helps you meet HIPAA obligations, and ensures that your data is used solely for its intended clinical purpose.

‍

Dedicated Infrastructure

Each healthcare group using Sayvant receives its own dedicated application, web, and database resources. This design isolates your environment from other customers, reducing cross-tenant risks and preventing potential lateral movement by unauthorized users. Because each deployment is self-contained, your security settings and performance configurations can be fine-tuned to meet the unique demands of your clinical setting. This level of customization helps maximize both data protection and platform reliability.

‍

Single Sign-On (SSO) Integration

We integrate seamlessly with your existing SSO provider—such as Okta, Microsoft, or Google—to streamline credential management. This allows your IT and security teams to maintain a single source of truth for user identities. As staff members join, leave, or change roles, their privileges within Sayvant update automatically. By adopting your organization’s established authentication and authorization protocols, we save you from managing yet another set of credentials, while ensuring secure, centralized access control.

‍

‍

Our Ongoing Commitment to Data Security

Earning SOC 2 Type 2 certification is an important achievement, but it’s only part of our larger security posture. For busy emergency departments and urgent care centers, safe and streamlined documentation is critical. By building upon our HIPAA compliance program with SOC 2 Type 2—and continuing to invest in strong security measures—we help ensure your data stays protected, letting you focus on patient care.

‍

If you have questions about our security practices or want more information on how Sayvant’s platform can enhance documentation while meeting strict security requirements, feel free to reach us at hello@sayvant.com. We remain dedicated to helping you deliver top-quality care—securely and efficiently.