Last reviewed: March 2026. Scispot reviews this page quarterly.

Vendor security reviews move faster when everyone agrees on the facts first. This page is a quick reference for what Scispot maintains today: independent assurance for our security program, plus the frameworks labs and enterprises most often ask about in questionnaires and procurement.

It is not a press release. If you are evaluating Scispot, routing an RFI, or aligning internal IT and quality stakeholders, use the sections below as a shared baseline. For formal evidence, your team can request reports and attestations under NDA through your Scispot contact.

Certifications and attestations at a glance

SOC 2 Type II. Scispot has undergone a SOC 2 examination aligned with the AICPA Trust Services Criteria (SOC for Service Organizations, commonly referenced in the context of SSAE 18). A SOC 2 Type II report describes not only how controls are designed, but how they operated over an agreed period. Our examination was performed by an independent firm and resulted in an unqualified opinion, meaning the auditor did not identify exceptions that would cause them to qualify the opinion.

ISO/IEC 27001:2022. Scispot is certified to ISO/IEC 27001:2022, the international standard for an information security management system (ISMS). Certification means an accredited body has assessed our ISMS against the standard and confirmed it meets the requirements, subject to ongoing surveillance audits.

Regulatory frameworks: HIPAA, GDPR, FDA 21 CFR Part 11, and PCI DSS

Scispot's security and compliance program is designed to support customers operating under common life science and healthcare regulatory frameworks. Here is how each applies:

HIPAA. Scispot supports customers who process protected health information (PHI) by executing a Business Associate Agreement (BAA). Our access controls, audit logging, encryption, and incident response processes are designed to support your HIPAA compliance obligations. To request a BAA, contact your Scispot representative.

GDPR. Scispot acts as a data processor for customers subject to the EU General Data Protection Regulation. We support data subject rights workflows, maintain a record of processing activities, and execute Data Processing Agreements (DPAs) with customers as required. A current list of Scispot subprocessors is available upon request.

FDA 21 CFR Part 11. Scispot's platform includes audit trails, electronic signature support, and access controls that are relevant to customers operating under FDA 21 CFR Part 11 requirements for electronic records and signatures. Validation documentation is available to qualified customers. Customers remain responsible for their own validation and compliance determination.

PCI DSS. Scispot does not store, process, or transmit cardholder data as part of its core platform. Payment processing, where applicable, is handled by PCI-compliant third-party processors. If your procurement team requires a formal PCI scope statement, contact your Scispot representative.

Why we reference Type II for SOC 2, not Type I

A Type I report is a point-in-time view of control design. Type II goes further and covers operating effectiveness across a period. Teams that ask for SOC 2 in diligence almost always want Type II when it is available. Listing both Type I and Type II would be redundant for readers, because the Type II engagement builds on the same Trust Services foundation.

What SOC 2 Type II signals for customers

SOC 2 is not a single checklist stamped on every vendor the same way. It is an attestation framework. The service organization selects applicable Trust Services Categories (for example security, and optionally availability, confidentiality, processing integrity, or privacy, depending on scope). The auditor tests controls mapped to those criteria and issues a report suitable for customers and their auditors under non-disclosure.

For life science and diagnostics teams, the practical value is straightforward: you can trace how a SaaS provider approaches access control, change management, logging and monitoring, vendor management, incident response, and related topics that show up in almost every security questionnaire. Type II specifically helps answer the follow-up question buyers ask after seeing a policy PDF: did these controls actually run the way you describe, consistently, over time?

When your information security team asks for a bridge letter or an update between annual report cycles, the same engagement discipline applies. The report is a snapshot tied to a defined scope and period; your procurement process should treat it as one input alongside your own risk assessment, data classification, and contractual terms.

What ISO 27001:2022 adds alongside SOC 2

SOC 2 and ISO 27001 overlap in theme but differ in shape. SOC 2 is an attestation report grounded in AICPA criteria and shaped around the in-scope system and trust categories. ISO 27001 is a management-system standard: it expects documented policies, risk treatment, defined roles, internal audit, management review, and corrective action, with Annex A controls as the common catalog teams recognize globally.

Many enterprises maintain programs that reference both. Publishing SOC 2 Type II and ISO 27001:2022 together gives security and compliance partners two familiar lenses on how Scispot governs information security, without asking them to translate one framework into the other from scratch.

If your organization maps suppliers to a control framework such as NIST CSF or internal baseline policies, you will often find that ISO 27001 clauses and SOC 2 criteria reinforce the same outcomes: clear ownership, evidence of operation, and repeatable response when something drifts. The difference is mainly which audience reads the artifact first.

How we run the compliance program (tools and auditor)

We use Scrut, an automated security and compliance platform, to operate continuous monitoring, evidence collection, and workflow across our program. Automation does not replace judgment; it reduces drift between what we say we do and what we can demonstrate on a given day.

Our SOC 2 examination was performed by Prescient Assurance, a registered public accounting firm that provides attestation services for SaaS and B2B technology companies. Firms like Prescient routinely deliver SOC 2 and related assurance work; the important part for customers is that the opinion is issued by an independent auditor, not by Scispot marketing.

Data protection and infrastructure

Encryption. Data at rest is encrypted using AES-256. Data in transit is protected using TLS 1.2 or higher. Encryption key management follows industry-standard practices using cloud-managed key services.

Cloud infrastructure and data residency. Scispot is hosted on Amazon Web Services (AWS). Customer data is stored in the United States by default. EU data residency is available for customers with regional requirements; contact your representative to discuss options.

Penetration testing. Scispot conducts annual third-party penetration testing. Executive summaries are available to customers and prospects under NDA.

Subprocessors. A current list of Scispot subprocessors is available upon request through your Scispot representative.

Accuracy check before you publish: Confirm the ISO certificate lists the correct certification body, certificate identifier, scope statement, and dates. Confirm the SOC 2 report states the exact Trust Services Categories in scope and the period covered by Type II testing. This article summarizes; the signed artifacts are authoritative.

Product context (why this matters for lab data)

Scispot provides a configurable, modern toolkit for life science and diagnostics labs: structured data in Labsheets, collaborative work in Labspace, workflows, integrations, and the surrounding controls customers expect from cloud software that holds research and operational data.

Certifications and attestations do not replace your own quality or regulatory decisions, especially where GxP or clinical frameworks apply. They do give IT, security, and procurement teams a recognized starting point when they ask whether a vendor operates disciplined security governance at the platform level.

How to use this page in a vendor assessment

Most security reviews follow a predictable rhythm. Start with the questionnaire or spreadsheet your team already uses. Map each control family to the evidence you need: policy statements, configuration screenshots, penetration test summaries, subprocessors, and third-party attestations. For Scispot, place the SOC 2 Type II report and ISO 27001 certificate in the attestation bucket, then trace specific questions (for example logging, access reviews, or backup strategy) to the relevant sections of those documents under NDA.

Ask your Scispot contact early for the reporting package. That reduces back-and-forth when legal review requires a direct NDA with the firm or a reliance letter. If you maintain a tiered vendor model, note which tier Scispot sits in based on data sensitivity and system criticality; the same report may answer different depth questions for a pilot workspace versus a production deployment tied to regulated records.

Shared responsibility (what you still own)

Cloud software always sits inside a shared responsibility model. Scispot operates the platform, infrastructure choices within our scope, and the security program described in our attestations. Your organization still configures workspaces, invites users, assigns roles, classifies data, integrates external systems, and decides how Scispot fits inside your validation or quality processes where those apply. Scispot maintains a platform status page at https://status.scispot.io and notifies affected customers of security incidents within the timeframes required by applicable law and contractual commitments.

Strong customer practice includes periodic access reviews, offboarding users promptly, using SSO where available, and documenting which data categories you place in the system. Our attestations address how the service is designed and operated; they do not automatically prove that every customer workspace is configured in a compliant way for your specific use case.

How to describe Scispot accurately in your own packets

Internal security portals and RFP attachments work best when language matches what independent parties will actually sign. We recommend stating that Scispot can provide a SOC 2 Type II report under NDA and an ISO/IEC 27001:2022 certificate for the in-scope management system, rather than shortening that to vague claims such as 'fully compliant' with every regulation. Precision protects both sides: your reviewers know which artifacts to expect, and your legal team avoids over-stating scope.

When you summarize subprocessors, data residency, or encryption, keep those fields synchronized with the vendor packet Scispot provides. If your template asks for PCI DSS or HIPAA, answer based on your use case and the guidance in our security materials. Blanket checkboxes without evidence create rework later; citing the correct attestation or policy reference usually clears questions faster than marketing language.

From our product leadership

Life science and diagnostics teams trust Scispot with research data, clinical records, and operational workflows that have no tolerance for gaps. Our SOC 2 Type II report, ISO 27001 certification, and continuous monitoring program reflect a deliberate investment in being the most auditable platform in the space - not just at certification time, but every day.

- Guru Singh, CEO and Co-Founder, Scispot.

‍

Where to go next

We will keep this page aligned with the certifications and attestations we actively maintain. When scopes or standards are updated, the authoritative artifacts remain the auditor-issued report and the ISO certificate; this article is a reader-friendly index, not a substitute for those documents.

Ready to complete your vendor assessment?

Request Scispot's full security package - including our SOC 2 Type II report, ISO 27001 certificate, subprocessor list, and penetration test summary - by emailing security@scispot.com with your company name and NDA details.