Security First: Brim Analytics' Path to SOC 2 Compliance
June 16, 2025
.avif)
At Brim Analytics, we help teams accelerate medical research, clinical trial enrollment, and clinical workflows by unlocking insights from unstructured medical notes. Security isn’t just a requirement — it’s the foundation of our work.
In this post, we’re sharing our journey to SOC 2 Type II compliance: why we pursued it, how we approached the audit, and what we learned along the way.
Built for Privacy and Security
Brim is designed for sensitive environments — especially health systems and clinical research teams. Our platform supports on-premise deployment, so protected health data stays behind your firewall. No user data leaves your system.
We also take a fundamentally different approach from many AI companies:
- No data used for model training.
- Bring-your-own LLM to limit the number of surfaces.
- RAG and prompt optimization instead of model fine-tuning.
This means you can use AI chart abstraction confidently — without increasing your data exposure.
Why SOC 2?
While we already had strong security practices in place, we pursued SOC 2 Type II certification to provide transparent, third-party validation of our controls.
SOC 2 evaluates how well an organization adheres to its own security policies and procedures — not just in theory, but in everyday operations. A certified CPA firm conducted a months-long audit to confirm that our security, availability, and confidentiality controls are both well-designed and effective.
What the Process Involved
SOC 2 doesn’t come with a checklist. Instead, it requires organizations to prove how they mitigate risk — and to provide real-world evidence.
To streamline the process, we partnered with Vanta, a compliance automation platform. Vanta connected to our existing tools (e.g., GitHub, Google Workspace, AWS), tracked key practices like MFA and vulnerability scanning, and helped surface areas for improvement.
Here’s how our audit process broke down:
🔍 Phase 1: Policy Documentation
We formalized our security and operational policies — everything from data handling to incident response.
🛡️ Phase 2: Asset Inventory & Monitoring
We cataloged all systems under our control and implemented vulnerability monitoring across our infrastructure.
🤝 Phase 3: Vendor Risk Assessment
We evaluated our vendors and documented contingency plans in case any became unavailable.
🚨 Phase 4: Disaster Recovery & Risk Analysis
We ran recovery drills and assessed organizational risks, from infrastructure failures to third-party issues.
📂 Phase 5: Evidence Collection
Finally, we compiled audit-ready evidence for every policy and control — with Vanta automating the bulk of it, and our team supplying Brim-specific documentation.
Lessons Learned
Here are three key takeaways from our journey:
1. Security First, Compliance Follows
Compliance isn’t the goal — security is. Brim’s architecture (especially on-prem deployment) reflects our deep focus on minimizing data exposure, even when it’s not required by SOC 2.
2. Don’t Rush It
SOC 2 compliance took us about six months. With a small team, we balanced audit prep alongside product development and customer work. Taking the time to do it right pays off.
3. It’s Just the Beginning
SOC 2 Type II compliance is a milestone — not the finish line. As AI chart abstraction and clinical research evolve, we’ll continue to adapt our security posture to meet new challenges and protect our customers.
Looking Ahead
We're proud to support academic research and health systems with tools that deliver AI-powered insights with uncompromising security. Whether you're focused on clinical trial recruitment, building a clinical registry, streamlining clinical workflows, or conducting academic research — you can count on Brim to keep your data safe.