Ghost Metrics Completes Its SOC 2 Type II Audit

Ghost Metrics Completes Its SOC 2 Type II Audit

Ghost Metrics has completed its first SOC 2 Type II audit. Independent auditor KEN & Co. CPA LLC examined our controls over a three-month period, January 26 to April 25, 2026, and issued an unqualified report with no exceptions noted. For the healthcare providers, agencies, and practices that trust us with sensitive website data, it is independent confirmation of a simple promise: the security controls we describe are the security controls we actually run.

Healthcare organizations are right to be skeptical of any vendor who simply says “trust us.” A SOC 2 Type II report is the opposite of that. It is a third party spending months verifying that the controls we describe are the controls we operate, which is exactly the kind of evidence a privacy or security team should expect from any analytics tool that touches patient data.

Here is what the audit covered, what SOC 2 Type II means, and, just as important for healthcare buyers, what it does not.

What SOC 2 Type II actually is

SOC 2 is an attestation standard from the American Institute of CPAs (AICPA). It evaluates a service organization’s controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the baseline that every SOC 2 includes.

The difference between Type I and Type II is the difference between a photo and a film. A Type I report checks whether controls are designed correctly at a single point in time. A Type II report tests whether those controls actually operated effectively over a period of months.

Type II is the harder of the two, because you cannot pass it on paper. The auditor gathers evidence across the entire observation window to confirm the controls ran as described, not just on the day they looked.

What was examined

Our SOC 2 Type II examination focused on the Security Trust Services Criteria: the controls that protect customer data from unauthorized access, disclosure, and tampering across its collection, processing, transmission, and storage.

Over the audit period, KEN & Co. evaluated the design and operating effectiveness of controls spanning access management, encryption, change management, system monitoring, incident response, vendor management, and business continuity. The examination resulted in an unqualified opinion with no exceptions noted.

A few of the specifics behind that, kept at a level we are glad to share publicly:

  • Customer data is encrypted in transit and at rest, hosted on AWS in the United States.
  • Production access is role-based and least-privilege, protected by multi-factor authentication and reviewed on a recurring basis.
  • We run continuous control monitoring, intrusion detection, and regular vulnerability scanning, backed by documented incident-response and disaster-recovery plans that are tested at least annually.

What SOC 2 is not: the “HIPAA certified” myth

This is the part worth saying plainly, because the healthcare market is full of confusion about it.

There is no such thing as a “HIPAA certification.” HIPAA is a federal law enforced by the HHS Office for Civil Rights, and no government body issues a certificate, badge, or seal that proves you comply. So when a vendor claims to be “HIPAA certified,” what they can actually put in front of you varies wildly, and often it is nothing at all.

SOC 2 Type II is one of the strongest, most objective answers to “prove it.” It does not replace HIPAA, since the two cover different ground, but it independently verifies the security program that any HIPAA-compliant analytics platform has to be built on. Paired with the Business Associate Agreement (BAA) we sign with every customer, it gives healthcare organizations something far more useful than a marketing claim: a third-party report their own security and compliance teams can review.

That is the whole reason we build analytics this way. Most general-purpose analytics tools were never designed for protected health information, and when you ask, they will not sign a BAA or hand you an audited report scoped to your risk. We will.

How to access the report

Our full SOC 2 Type II report, along with a real-time view of our compliance posture and security controls, is available through our Trust Center at security.ghostmetrics.io. The report itself is confidential and shared under NDA. Request access there and we will get it to you.

Frequently asked questions

Is SOC 2 the same as HIPAA compliance? No. SOC 2 is a voluntary attestation standard covering security and related controls; HIPAA is a federal healthcare privacy and security law. They overlap, but they are not interchangeable. SOC 2 independently verifies the security controls that support HIPAA compliance.

What is the difference between SOC 2 Type I and Type II? Type I assesses whether controls are designed appropriately at a single point in time. Type II tests whether those controls operated effectively over a period, which in our case was three months.

Which Trust Services Criteria did Ghost Metrics include? This examination covered the Security criteria.

Who performed the audit? KEN & Co. CPA LLC, an independent, AICPA peer-reviewed CPA firm.

Does Ghost Metrics sign a BAA? Yes. We sign a Business Associate Agreement with every customer.

How can I get a copy of the report? Visit our Trust Center at security.ghostmetrics.io to request access.

Chris Wathen
Co-Founder & CTO at Ghost Metrics. Writes about HIPAA, privacy, and the architecture behind compliant analytics.
Try Ghost Metrics

Stop betting compliance on a TOS promise.

Get analytics that sign a BAA and keep PHI out of the pixel, live in minutes.