Learn

System and Organization Controls 2 is an auditing standard developed by the American Institute of CPAs (AICPA). It evaluates how well a company protects customer data based on five "Trust Service Criteria": security, availability, processing integrity, confidentiality, and privacy.

Why we look for it: SOC 2 Type II is the gold standard for demonstrating ongoing data protection. A company with this certification has been independently verified to handle your data securely — not just at one point, but continuously.

The Health Insurance Portability and Accountability Act (1996) is the primary U.S. law governing how health information is stored, shared, and protected. It applies to "covered entities" (healthcare providers, insurers, clearinghouses) and their "business associates."

Why we look for it: HIPAA compliance means the company treats your health data with the same rigor as a hospital or doctor's office. Even when not legally required, voluntary HIPAA compliance shows a serious commitment to protecting sensitive health information.

An international standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization. It provides a systematic framework for managing sensitive company and customer information through risk assessment, security controls, and continuous improvement.

Certification requires an external audit by an accredited body and must be renewed every three years, with annual surveillance audits in between.

Why we look for it: ISO 27001 is globally recognized and shows that a company has a comprehensive, audited security management program — not just individual security features, but an entire organizational approach to protecting data.

The General Data Protection Regulation (2018) is the European Union's comprehensive data privacy law. It gives individuals rights over their personal data — including the right to access, correct, delete, and port their data — and imposes strict requirements on how companies collect, store, and process personal information.

Why we look for it: GDPR compliance means strong user rights and data protections. Even for non-EU companies, voluntarily following GDPR principles indicates a higher standard of privacy. Products that store data on EU servers under GDPR governance provide some of the strongest privacy protections available.

The U.S. Food and Drug Administration regulates medical devices, including software that makes clinical claims. There are two main pathways to market:

Why we look for it: FDA oversight means the product's clinical claims have been reviewed by a regulatory body. It's not a guarantee of accuracy, but it provides accountability that unregulated wellness apps don't have.

Conformité Européenne marking indicates that a product meets EU health, safety, and environmental requirements. For medical devices (including health software), this is regulated under the Medical Device Regulation (MDR 2017/745), which replaced the older Medical Device Directive in 2021.

Why we look for it: CE marking under the MDR is the EU equivalent of FDA regulation. It means the product has been assessed against safety and performance requirements. The class level tells you how thoroughly it was reviewed.

Encryption converts your data into unreadable code that can only be decoded with the right key. We look for two types:

Why we look for it: Encryption is the foundation of data security. We verify that companies explicitly state their encryption practices — both in transit and at rest — rather than vaguely claiming "your data is secure."