Sevana Health Achieves SOC 2 Type II Certification
Sevana Health Team
February 23, 2026
We're pleased to share that Sevana Health has completed a SOC 2 Type II audit. This means our security controls have been independently evaluated and validated as operating effectively over an extended observation period.
Why This Matters for Our Customers
Health plans that use our CMS Universe Scrubber trust us with sensitive data: Medicare Beneficiary Identifiers, member enrollment information, claims data, grievance records, and appeal details. That's not something we take lightly.
When we talk to compliance teams evaluating our platform, security is always one of the first questions. And it should be. Before SOC 2, we could describe our security practices. Now we have an independent auditor confirming they work as described, consistently, over time.
What SOC 2 Type II Actually Means
There's a meaningful difference between Type I and Type II:
SOC 2 Type I
Evaluates whether security controls are designed appropriately at a single point in time. Think of it as a snapshot.
SOC 2 Type II
Evaluates whether security controls are operating effectively over an extended period. It's not enough to have good policies — the auditor verifies you're actually following them, consistently, day after day.
What the Audit Covered
The SOC 2 examination evaluated our controls against the Security Trust Services Criterion — the foundational category that covers:
Protection Against Unauthorized Access
Controls that prevent unauthorized access to the systems and infrastructure that process, store, and transmit your CMS universe files.
Logical & Physical Access Controls
Role-based access, authentication mechanisms, and physical security measures for our infrastructure.
System Operations & Monitoring
Continuous monitoring, incident detection, and response procedures to identify and address security events.
Change Management & Risk Mitigation
Controlled processes for system changes and ongoing risk assessment to maintain security posture.
What This Means Practically
For compliance teams evaluating our platform:
- •Faster vendor assessments. Your information security team can review our SOC 2 Type II report instead of sending lengthy security questionnaires. We're happy to share the full report under NDA.
- •Delegation oversight evidence. If you're using our platform as part of your CMS audit preparation workflow, our SOC 2 report supports your vendor oversight documentation.
- •Ongoing commitment. SOC 2 Type II isn't a one-time event. We'll continue annual audits to maintain certification and ensure our controls evolve with the threat landscape.
View Our Trust Center
We've published our security posture through a public Trust Center where you can review our compliance status, security practices, and request access to the full SOC 2 report.
Sevana Health Trust Center
Review our security posture and request the full SOC 2 report.
Ready to See the Platform?
If security has been a factor in your evaluation, we hope this makes the conversation easier. We'd love to show you how the CMS Universe Scrubber works.