DRAFT — DO NOT PUBLISH. Certification claims on this page are unverified placeholders. Niral V. Merchant must confirm in writing that BridgeMed Health has achieved the named certifications before this page is published to a production domain. — Veydros Consulting
BridgeMed Health’s platform has achieved SOC 2 Type II certification [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED] — the gold standard for SaaS and digital health security.
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. It is widely adopted across digital health, financial services, and enterprise SaaS as the baseline expectation for any vendor that processes sensitive data on behalf of others.
There are two flavours of SOC 2 attestation. SOC 2 Type I is a point-in-time audit — it confirms that the organization’s control descriptions, on the day of the audit, are designed appropriately. SOC 2 Type II is the harder and more meaningful certification: it requires an independent auditor to test the operating effectiveness of those controls over a defined period — typically six to twelve months — and to issue a report that confirms the controls actually worked as described, every day, throughout that window.
BridgeMed Health holds a SOC 2 Type II attestation [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED], covering all five Trust Service Criteria. The audit is repeated annually, ensuring that controls do not drift over time and that any operational changes are re-evaluated against the same rigorous bar.
When BridgeMed Health is part of your vendor stack [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED], you inherit the assurance that an independent third-party auditor has tested our controls and issued an attestation that they operate as designed.
Our data handling, encryption, and access controls have been tested by an independent CPA firm, not self-attested. The report is signed and stands behind the engagement letter.
We maintain continuous monitoring across our infrastructure and internal controls. Drift, anomalies, and policy violations are surfaced to the security team and remediated against documented procedures.
Audit reports are available to enterprise partners and insurers upon request. Contact info@veydros.com with the subject line “SOC 2 Report Request”.
SOC 2 Type II audits can be scoped to a subset of the five Trust Service Criteria, but BridgeMed Health’s attestation covers all five [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]. The criteria are described below in plain language; the underlying control objectives are documented in the audit report itself.
Protection against unauthorized access — physical and logical. Includes network and application firewalls, intrusion detection, multi-factor authentication, hardened endpoints, and access reviews. This is the only criterion that is mandatory in every SOC 2 engagement; the other four are scoped per attestation.
The system is operational and accessible as committed. Covers infrastructure monitoring, incident response, disaster recovery, business continuity planning, and the operational practices that keep the platform available to plan members and clinicians during their scheduled care.
System processing is complete, valid, accurate, timely, and authorized. For BridgeMed Health this means clinical documentation, intake records, and case manager communications are processed end-to-end without silent corruption, omission, or duplication.
Information designated as confidential — including clinical notes, FPA reports, and case manager communications — is protected from disclosure to unauthorized parties. Covers encryption, access controls, secure disposal, and contractual protections with subprocessors.
Personal information is collected, used, retained, disclosed, and disposed of in accordance with our published privacy commitments and applicable law. The Privacy criterion in SOC 2 dovetails with our obligations under PHIPA (Ontario), PIPEDA (Canada), and HIPAA (United States), each of which is described in detail elsewhere in this Trust Centre.
Audit reports are available to enterprise partners and insurers upon request. To receive the most recent attestation, contact our security and privacy team. A mutual non-disclosure agreement is required prior to release. [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]
Email info@veydros.com