Spruce Completes SOC 2 Type II Audit ?

We’re thrilled to announce today that Spruce has successfully completed a System and Organization Controls (SOC) 2 Type II audit examination of our Care Messenger platform! ?

SOC 2 audits, performed by independent auditors, evaluate whether the safeguards employed by organizations like Spruce are adequate to ensure the protection and security of their clients’ data. For our audit, Spruce retained international business advisory firm Skoda Minotti, and we have been working diligently with their experienced auditors over the past two-and-a-half (2½!) years to fully document and then test the Spruce systems and processes.

Securing and protecting our users and their data has always been a top priority for us at Spruce, and now we have one more way to prove that to you.

We are especially happy to have achieved positive results in a SOC 2 Type II audit, as this type of audit assesses whether the safeguards that Spruce employs actually work over time to protect our systems and our users. This long and detailed investigation began with the SOC 2 Type I audit that we completed last year, in which the Skoda Minotti auditors assessed our controls and plans at a fixed point in time and found them to exceed industry standards.

After this successful SOC 2 Type I audit, we then continued to work hard through the subsequent year-long examination period of the Type II audit to make sure that Spruce would live up to the high bar that we had set for ourselves. Today’s confirmatory SOC 2 Type II audit results show that we did just that, and we’re elated to be able to share this good news with all of the people and organizations who depend on Spruce every day.

Securing and protecting our users and their data has always been a top priority for us at Spruce, and now we have one more way to prove that to you. Download the Spruce SOC 2 Type II certificate of completion.


Skoda Minotti’s testing of Spruce’s controls included examinations of our policies and procedures regarding network connectivity, firewall configurations, systems development life cycle, computer operations, logical access, data transmission, backup and disaster recovery, and other critical operational areas.

Upon completion of the SOC 2 Type II audit, Spruce received a Service Auditor’s Report with an unqualified opinion, which signifies that the independent auditors found our policies, procedures, and infrastructure to meet or exceed the stringent SOC 2 criteria against which they were being assessed.

SOC 2 logo

San Francisco, CA – Spruce Health, Inc., a healthcare technology company, today announced that it has successfully completed a System and Organization Controls (SOC) 2® Type II Audit examination for their Care Messenger System, in conjunction with business advisory and auditing firm Skoda Minotti.

About – Spruce Health, Inc.

Spruce Health is a healthcare technology company that is dedicated to providing solutions that enable modern care to occur outside of face-to-face interactions and the four walls of the medical office. Spruce serves a diverse set of medical organizations, from solo providers through to large multi-site, multi-specialty practice groups, and the company offers advanced solutions in telemedicine, telephony, secure messaging, team collaboration, population management, workflow efficiency, and many other necessary areas and functions of healthcare today.

Spruce’s flagship product is Spruce Care Messenger, a cloud-based application that enables innovative healthcare teams to implement workflows for both in-person and remote care that can increase quality, efficiency, and satisfaction. Care Messenger is available via native mobile applications (both iOS and Android) as well as through a web application, allowing users flexibility in how they use its features. Medical teams using Care Messenger can interact internally, with each other, and also with their patients or other external parties over their choice of a variety of available communication channels, including secure messaging and telemedicine. All communication is treated as part of a unified, chronological medical record, and population management and team collaboration features are overlaid to allow teams to develop high-quality, efficient approaches to serving their patient panels.

About – Skoda Minotti

Skoda Minotti is a Certified Public Accounting Firm based in Cleveland, OH, offering a variety of tax, finance, and business advisory services in virtually every area of business. The Risk Advisory practice specializes in SOC Reporting, PCI DSS Compliance, FISMA, NIST, and other regulatory information security assessments. Staff in Skoda Minotti’s Risk Advisory hold several industry certifications, including Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Qualified Security Assessor (QSA), GIAC Penetration Tester (GPEN), and GIAC Web Application Penetration Tester (GWAPT).

Related Articles

Dive into this succinct eBook created from our March 13 webinar with TJ Walsh, MA, LPC, NCC, CCTP, a...