Your agency stores some of the most sensitive information that exists — client diagnoses, housing histories, income records, immigration status, trauma disclosures. You picked your case management platform carefully. But do you know what your vendor actually does to protect that data from the inside?
Most nonprofit IT directors can answer the HIPAA question: "Do you have a signed BAA?" But a growing number of city and state funders — and an increasing share of board risk committees — are starting to ask a harder one: "Can your vendor show you a SOC 2 Type II audit report?"
If that question makes you pause, you're not alone. Here's what it means, why it matters more than a BAA alone, and what to ask your software vendor before your next contract renewal.
What Is SOC 2, and Why Does "Type II" Matter?
SOC 2 stands for System and Organization Controls 2. It's a security auditing framework developed by the American Institute of CPAs (AICPA) that evaluates how well a software company protects the data it holds on behalf of customers.
There are two versions:
- SOC 2 Type I — a point-in-time snapshot. An auditor reviews the vendor's security policies and controls as of a single date and says, essentially, "these controls are designed correctly."
- SOC 2 Type II — an ongoing audit. An auditor observes actual operations over a period of 6–12 months and says, "these controls are not just designed correctly — they actually work, consistently, in production."
The difference matters a great deal. A Type I report tells you a vendor intended to have proper security controls. A Type II report provides evidence they actually ran them, every day, under real conditions.
For agencies handling protected health information (PHI) or sensitive client records, Type II is the standard worth asking about.
Why a BAA Isn't Enough on Its Own
A Business Associate Agreement (BAA) is a legal contract. Signing one means your vendor accepts HIPAA liability — but it doesn't mean they've proven their infrastructure is secure. A vendor can sign a BAA and still run their systems on misconfigured servers, skip access logging, or fail to detect a breach for months.
Think of a BAA as a promise. SOC 2 Type II is independent, third-party evidence that the promise is being kept.
Some funders, particularly Medicaid managed care organizations and city-contracted social service providers, are beginning to require SOC 2 Type II as a condition of data-sharing agreements. Even if your funder doesn't require it today, getting ahead of this question protects your agency when the requirement arrives.
7 Questions to Ask Your Case Management Vendor Right Now
Whether you're evaluating a new platform or renewing a contract with an existing one, these questions should be on your checklist.
1. Do you have a SOC 2 Type II report, and can we see it (under NDA)?
A vendor who has completed a Type II audit will typically share a summary report or a redacted version under a mutual NDA. If they can't produce anything, that's useful information.
2. How recent is the audit?
SOC 2 Type II reports typically cover a 12-month period. A report from two or three years ago means controls haven't been independently verified in a long time. Ask for the most recent report and the date of the audit period covered.
3. Which trust service criteria did the audit cover?
SOC 2 audits can cover up to five criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. At minimum, you want a vendor whose audit covered the Security criteria (also called the Common Criteria). Ask explicitly.
4. Were there any qualified opinions or exceptions noted?
An auditor can note "exceptions" where a control failed or wasn't consistently followed. A small number of exceptions with documented remediation is normal. Many exceptions — or exceptions in access control or encryption — are red flags.
5. What is your penetration testing cadence?
SOC 2 covers internal controls. Pen testing is a complementary external attack simulation. Annual third-party pen testing is a reasonable expectation for any vendor holding PHI-adjacent data.
6. What is your incident response SLA?
If there's a breach, when do you get notified? HIPAA requires notification within 60 days of discovery, but responsible vendors notify affected customers within 24–72 hours. Get that in writing.
7. Are you currently pursuing SOC 2 Type II, and what's your target date?
Smaller or newer vendors may not have completed a Type II audit yet. That doesn't automatically disqualify them — but it's reasonable to ask about the roadmap, what compliance framework they're operating under in the meantime, and whether they've completed a readiness assessment with a qualified auditor.
What to Do If Your Vendor Doesn't Have SOC 2 Type II
Not every case management platform has achieved SOC 2 Type II, particularly newer platforms and those built specifically for community-based organizations. Here's how to assess the risk:
- Ask what they do have. Many vendors operate under HIPAA-aligned security frameworks, conduct regular internal audits, and have signed BAAs even before completing SOC 2. A signed BAA + a recent penetration test report + documented access controls is meaningfully better than nothing.
- Ask about the roadmap. A vendor actively working toward SOC 2 Type II — with a named auditor, a readiness gap assessment completed, and a target date — is a lower-risk partner than one who hasn't started thinking about it.
- Factor in your data sensitivity tier. If your agency stores Medicaid billing data, mental health records, or immigration-sensitive information, the compliance bar should be higher. If your use is limited to program enrollment tracking with no PHI, a roadmap-in-progress may be acceptable.
- Get a contractual commitment. If you're signing a multi-year contract with a vendor on the path to SOC 2 Type II, negotiate a clause that requires them to notify you of the report completion and provide a copy. Some agencies also include a right to terminate if the vendor fails to complete the audit by a committed date.
CareBridge's Current Security Posture
CareBridge operates under HIPAA-aware infrastructure with a signed BAA available on Team tier and above. Our infrastructure runs on Azure, which maintains its own portfolio of compliance certifications including SOC 2, HIPAA, and FedRAMP.
We are targeting SOC 2 Type II certification in Q1 2027. Agencies evaluating CareBridge for long-term deployments are welcome to ask about our current security controls, our readiness assessment timeline, and our contractual commitments around certification milestones.
We believe the right answer to "what's your SOC 2 status?" is an honest one — and that agencies deserve vendors willing to put that answer in writing.
The Bottom Line
SOC 2 Type II is not bureaucratic overhead. It's the closest thing the software industry has to an ongoing, independent proof that a vendor's security practices work in the real world. For agencies handling vulnerable populations and sensitive records, it's worth asking about — even if your funders haven't required it yet.
The best time to ask your vendor these questions was before you signed your last contract. The second-best time is now.
CareBridge is a mobile-first case management platform built for field-based human services teams. Learn more about our security practices and BAA availability at [carebridge.cloud/security].