We Earned SOC 2 Type II — Here's What That Actually Means
Around Notes has achieved SOC 2 Type II certification—independent validation of our commitment to patient and user privacy. What it means for clinicians choosing AI documentation tools.
Last time we wrote about this, we were in the middle of our SOC 2 audit. Today, I'm proud to share that Around Notes has achieved SOC 2 Type II certification.
From Audit to Proof
Type I tells you a company has controls in place on a given day. Type II tells you those controls actually work—over time. An independent auditor reviewed our security, availability, and confidentiality practices across months of real operations. Not a checklist we filled out in a weekend. Months of scrutiny.
Why We Did This
As a physician, patient privacy was drilled into me from day one on the wards. That mindset shaped how I built Around Notes from the moment I hired our first developer. I always tell my team, "Don't break my app, and don't break HIPAA!"
SOC 2 Type II is another layer of that commitment—not a badge for the website, but proof that our dedication to patient and user privacy and protection runs deeper than a slogan.
"Finally achieving SOC 2 Type II shows our dedication to patient and user privacy and protection. In healthcare, trust should be earned—not assumed. This is us earning it."
— Dr. Micheal Massoud, Founder & CEO
What This Means for You
If you're a hospitalist, nocturnist, or locum evaluating AI documentation tools, you deserve more than a privacy policy PDF. You deserve evidence. SOC 2 Type II means:
- Access controls reviewed and tested over time
- Data handling governed by documented, audited processes
- Incident response and monitoring built into how we operate—not bolted on after the fact
- Third-party validation you can share with your compliance team
The Unglamorous Work, Done
This is still the unglamorous work: policies, access reviews, logging, documentation, outside scrutiny. Good. Not everything in healthcare is as cool as what you see on The Pitt—but the job of protecting patient data must be done.
Our Position Hasn't Changed
We said it when we started our audit: SOC 2 does not magically make a company good, and plenty of people toss the acronym around like it is a personality trait. But it does force rigor. It does force accountability. And for a company handling clinical data, that matters.
Healthcare AI should not just be fast and impressive. It should be governed like it belongs there. SOC 2 Type II doesn't make us perfect—but it makes us accountable. And for a company like ours, that matters.
Tags
About the Author
Dr. Micheal Massoud
Founder & Hospitalist | Wharton EMBA
Physician, founder, and Wharton Executive MBA candidate with roots in military medicine and a mission to make healthcare human again. Former Air Force officer who practiced hospital medicine across the globe and founded Around Notes—an AI-driven platform that helps hospitalists write better notes, faster. At Wharton, I'm bridging healthcare, technology, and leadership to create tools that amplify clinicians, not replace them.