SOC 2 Compliance Roadmap

Our path to SOC 2 Type I certification. TranslateMed is built for healthcare from the ground up — many of the controls required by SOC 2 are already in place. This page documents our current security posture and certification timeline.

Last updated: June 1, 2026

Current Security Posture

These controls are already in production today. They form the foundation of our SOC 2 readiness.

TLS 1.3 encryption in transit

All connections to TranslateMed are encrypted with TLS 1.3. No exceptions, no fallback to older protocols.

AES-256 encryption at rest

All stored data is encrypted at rest using AES-256 across all storage layers.

EU data residency

All processing and storage occurs within EU-hosted infrastructure (Frankfurt). No patient data leaves the EU.

Role-based access control

Granular RBAC with four distinct roles: Owner, Admin, Member, and Viewer. Permissions are enforced at the API level.

SSO/SAML integration

Enterprise single sign-on via SAML 2.0 and OIDC. Compatible with Okta, Azure AD, Google Workspace, and other identity providers.

Per-tenant API key management with audit logging

Each organization has isolated API keys with immutable audit trails. All key creation, rotation, and revocation events are logged.

No PHI logging

Document content is never persisted in logs or beyond the active session. PHI safety is enforced at the code level, not just as a policy.

HIPAA Business Associate Agreement

BAAs are available for enterprise customers. Our architecture is designed for PHI-safe processing from the ground up.

FHIR R4 conformance

Full FHIR R4 REST API with ConceptMap and $translate operations for healthcare interoperability standards compliance.

Certification Timeline

Our roadmap to SOC 2 Type I and Type II certification.

Q3 2026 — Controls Documentation & Gap Assessment

Formal documentation of all existing security controls. Gap assessment against SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). Remediation planning for any identified gaps.

Q4 2026 — SOC 2 Type I Audit Engagement

Engage an independent AICPA-certified auditor. Type I audit evaluates the design of our security controls at a specific point in time.

Q1 2027 — SOC 2 Type I Certification (Target)

Expected completion of SOC 2 Type I certification, confirming that our security controls are properly designed and implemented.

Q3 2027 — SOC 2 Type II Certification

After a 6-month observation period, SOC 2 Type II certification confirms that our controls operate effectively over time — not just at a single point in time.

Additional Compliance

Beyond SOC 2, TranslateMed maintains compliance with these frameworks and standards.

GDPR Compliant

All infrastructure is EU-hosted. Data Processing Agreements available. Full support for data access, rectification, and deletion requests.

HIPAA BAA Available

Business Associate Agreements available for US healthcare customers. PHI-safe architecture with no content logging and in-memory processing.

Offline Processing Mode

Available for organizations with strict data sovereignty requirements. All translations processed using verified local mappings — no data sent to external AI services.

HITRUST i1 Under Evaluation

HITRUST i1 certification is under evaluation as a follow-on to SOC 2 for customers who require healthcare-specific compliance frameworks.

Questions?

Evaluating TranslateMed for your organization? We're happy to provide additional details on our security posture, fill out your security questionnaire, or discuss BAA requirements.

Security questionnaire or BAA

[email protected]

Enterprise inquiry

View our full Security & Trust page