Skip to content
    Healthcare SaaS| Venture-backed healthcare SaaS platform, ~100 employees, AWS-native

    Healthcare SaaS Earns a Clean SOC 2 Type II Opinion with Zero Exceptions

    SOC 2 Type IIHIPAA

    0

    Exceptions in the SOC 2 Type II report

    10 wks

    From gap assessment to audit-ready

    3

    Stalled enterprise deals unblocked

    Client snapshot

    A venture-backed healthcare SaaS company of roughly one hundred employees, running an AWS-native platform that processes protected health information for hospital and payer customers. The security function was two engineers deep, both splitting time with platform work. No prior audit history: enterprise prospects were asking for a SOC 2 report the company did not have.

    The challenge

    Three enterprise deals were stalled in security review, each blocked on the same question: where is your SOC 2 Type II report?

    The underlying security practices were not the real problem — engineering had solid access control and change management habits. The problem was that nothing was formalized. Policies were fragments in a wiki, evidence lived in screenshots and Slack threads, and nobody could say with confidence which controls would hold up under a CPA firm's testing across a months-long observation window.

    The company had also signed hospital customers with HIPAA obligations, so whatever program emerged had to serve both the audit and its regulatory reality — without hiring a compliance team it could not yet afford.

    Why Top Floor

    The company wanted practitioners who had sat on the auditor's side of the table, not a portal subscription with a checklist. Top Floor's team brings 15+ years in security assessment and audit, with backgrounds at leading assessment firms including Coalfire and A-LIGN, and 450+ assessments delivered across SOC 2, HITRUST, and CMMC.

    That dual perspective was the selling point: knowing exactly what an audit team will test, sample, and question — and designing the control set so the answers are already there. The engagement was founder-led from scoping through the audit window, with no handoff to junior staff.

    Approach and timeline

    Weeks 1–2 — Gap assessment. A structured review of the platform, policies, and practices against the SOC 2 Trust Services Criteria, scoped deliberately to Security and Availability rather than all five categories. The output was a prioritized remediation roadmap — not a generic findings dump — with each gap mapped to an owner and an effort estimate.

    Weeks 3–8 — Remediation and program build. Policies rewritten to describe what the team actually does, not aspirational boilerplate. Access reviews, vendor management, risk assessment, and incident response formalized into lightweight recurring routines. Evidence collection wired into the tools engineering already used, so audit artifacts accumulate as a side effect of normal work.

    Weeks 9–10 — Readiness validation. A dry-run assessment conducted the way an audit team would: sampling evidence, testing controls, and interviewing control owners. Findings were closed before the real observation window opened.

    The audit window. Top Floor supported the company through auditor selection, scoping calls with the CPA firm, evidence requests, and follow-up questions across the Type II observation period.

    Results

    The independent CPA firm issued an unmodified (clean) SOC 2 Type II opinion with zero exceptions noted, on the company's first examination.

    • All three stalled enterprise deals moved through security review; the report is now attached to every RFP response.
    • Security questionnaire turnaround dropped from weeks of ad-hoc scramble to days, because the answers and evidence already exist.
    • The compliance routines built during remediation doubled as the backbone of the company's HIPAA program, and set up a clear path toward HITRUST if hospital customers require it.

    What made the difference

    Scoping discipline. Auditing only the Trust Services Criteria the business needed kept the observation window achievable for a two-person security function.

    Assessor-informed design. Because the program was built by practitioners who have run these assessments at leading firms, every control was designed with its future test in mind — no retrofitting evidence at audit time.

    Controls that fit the team. Nothing was introduced that engineering would quietly abandon after the audit. The program survived contact with a production incident mid-window precisely because the incident response process was one the team had actually rehearsed.

    A note on confidentiality

    To protect client confidentiality, identifying details in this case study have been generalized and the client is not named. Framework scope, approach, timeline, and audit outcome are presented as delivered. The SOC 2 Type II examination was performed by an independent CPA firm; Top Floor served as the readiness and advisory partner.

    Ready for an outcome like this?

    Talk to the senior practitioners who deliver it — scoping, readiness, and audit support, founder-led from day one.

    Book a Consultation