All work
Hardening a healthcare API to SOC 2 and HIPAA
A security program that took a fast-moving product through SOC 2 Type II and HIPAA with zero critical findings.
SOC 2
Type II passed
0
critical findings
100%
data encrypted
## The challenge
A health product moving fast, with PHI flowing through it and an audit on the calendar.
## What we did
- Threat-modelled the system and closed gaps in authN/authZ and tenant isolation.
- Centralised secrets in Vault and enforced envelope encryption with AWS KMS.
- Built the evidence pipeline — logging, access reviews, change control — auditors actually want.
## Outcome
The product passed SOC 2 Type II and a HIPAA assessment with zero critical findings, without slowing the roadmap.