Trust and Security
Vivo Care is a HIPAA compliant remote patient monitoring, chronic care management, and advanced primary care management platform. This page consolidates our security and compliance posture for the IT, security, and procurement teams that review us, with independently verified protection for the data your patients trust you with.
Talk with our teamSecurity and privacy at every layer
At Vivo Care, protecting patient information is not a feature, it is the foundation. Every program we run, Remote Patient Monitoring, Chronic Care Management, and Advanced Primary Care Management, is delivered on a HIPAA compliant platform with safeguards for protected health information built into every layer.
Independent attestations and compliance
We follow a deliberate maturity path: meet the regulatory baseline, prove it through independent examination, and continue toward the healthcare gold standard.
- HIPAA Compliant. Platform-wide across RPM, CCM, and APCM, with Business Associate Agreements and full safeguards for PHI.
- SOC 2® Type II. An independent examination of our controls across all five Trust Services Criteria over a defined audit period.
- HITRUST r2, in progress. Actively pursuing HITRUST r2 certification, building on the controls validated in our SOC 2 examination.

Independently examined. View our listing on the AICPA SOC for Service Organizations site.

“Our customers and partners trust us with their patients’ most sensitive data. Completing an independent SOC 2 Type II examination is how we prove that trust is well placed, not with claims, but with an outside auditor’s verification of how we operate every day. This is a milestone on a deliberate path, and the next step on that path is HITRUST.”
Ryan Clark
Chief Executive Officer
The five Trust Services Criteria
Our SOC 2 Type II examination spans all five Trust Services Criteria defined by the AICPA:
- Security. Systems are protected against unauthorized access, use, and modification.
- Availability. Systems are available for operation and use as committed.
- Processing Integrity. System processing is complete, valid, accurate, and timely.
- Confidentiality. Information designated as confidential is protected as committed.
- Privacy. Personal information is collected, used, retained, and disclosed in line with our commitments.

“When a provider adjusts a care plan based on a patient’s remote readings, that decision is only as sound as the data behind it. An independent SOC 2 Type II examination across all five Trust Services Criteria, including processing integrity, means the data our clinicians and partner providers rely on has been independently verified for accuracy and protection. In remote care, data integrity is patient safety.”
Dr. Aamir Iqbal, MD
Medical Director
How we protect data
Encryption. Patient data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
Access control. Access follows least-privilege, role-based controls, with periodic access reviews.
Monitoring. The environment is continuously logged and monitored.
Resilience. Documented incident response, disaster recovery, and business continuity procedures are maintained.
US-based hosting. The platform runs on US-based cloud infrastructure, and patient data remains in the United States.
Our attestation covers the Vivo Care platform we operate, not solely the certifications of an underlying cloud-hosting provider.
Secured end to end
From the patient’s FDA cleared device to the clinician’s dashboard, data is encrypted in transit and at rest. Access is limited to the people and services that need it, and every connection in the chain is monitored.
Our security program
Our controls are governed by a documented set of approved policies, reviewed regularly and enforced across the platform.
- Access controls. Least privilege access with multi factor authentication.
- Encryption. Data protected in transit and at rest.
- Monitoring and logging. Continuous monitoring with audit trails.
- Vulnerability management. Regular testing and patching.
- Incident response. A defined plan for detection, response, and notification.
- Vendor due diligence. Security review of vendors and sub-processors, including device partners that have completed a SOC 2 examination.
- Workforce training. Ongoing security and privacy training for our team.
Data privacy
Patient data is collected, used, and retained only to support care and the services providers ask us to deliver. We do not sell personal information. Our practices are described in full in our privacy policy.
Talk with our team
Have questions about our security and privacy, or want to see the platform in action? Our team is here to help.
Request a demoFurther reading
Compliance is an ongoing commitment, not a one-time exercise. We continually invest in the security, privacy, and regulatory standards that protect patient data. Explore how we approach secure care below, and stay current on the topics that affect your program.
Stay current on security and compliance: subscribe to The Remote Care Standard
Our regular Compliance Corner: security, privacy, and regulatory updates that affect your program.
Security documentation
Security and procurement teams can access our SOC 2 Type II report and supporting security documentation through our compliance portal. The non-disclosure agreement is handled in the portal.
Request our security documents