Doxy.me Inc. has been audited using the industry standard SOC 2® Type 2 method for the period February 9, 2023 to February 8, 2024. This audit looked at HIPAA compliance and overall data security. As a result of the audit, a CPA reported that the management of doxy.me maintained effective controls over the Security, Availability, and Confidentiality AICPA Trust Services Criteria and HIPAA Security Rule of its doxy.me system. The engagement was performed by BARR Advisory, P.A., an independent auditor (see the official letter below).

The CPA’s report includes details about doxy.me's operations, processes, and procedures, as they relate to software security and the HIPAA Security Rule. While the report is confidential, a shorter and less technical version is available in a SOC 3® report (available below).

The basis for a SOC 2® Type 2 audit is ensuring that the controls tested in the Type 1 audit six months prior are still being followed. In other words, a Type 1 audit looks at a moment in time while a Type 2 audit looks at an extended period of time—in this case, six months.

The types of controls tested by the auditors include access control to systems and software; HR hiring practices for new employees to sign confidentiality agreements and take security/HIPAA training annually; Business Associate Agreements signed with our third-party vendors; high-level encryption used for data in transit and at rest; and much more.

In all, about 160 controls were tested.

Making sure that doxy.me's security meets the key objectives set by the AICPA (Association of International Certified Professional Accountants) is no easy feat. It takes months of planning and testing, followed by numerous meetings and observations by the independent auditor. Only once these are completed can a final report be generated.

Doxy.me is proud to be among the few telehealth software solutions that has achieved a SOC 2® Type 2 report.