For the first half of my career, I worked in information security. I built and led the global application security team for one of the largest insurance companies in the world.

Because of my background in security, it was essential to me to make sure Steno had security in its DNA — everything was built with security in mind when we started Steno.

Many of our decisions as a company are driven by our core values: to be highly reliable, constantly innovate, and operate with a hospitality mindset. Our clients trust us to handle their sensitive data with the same care we would want our data handled. Our commitment to upholding the highest security standards aligns with our core value of being highly reliable to the attorneys and providers we partner with.

I am proud to announce that we have been audited and demonstrated compliance with System and Organization Controls (SOC) 2 Type II and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Defining SOC 2 Type II and HIPAA Compliance

The American Institute of Certified Public Accountants created SOC as a reporting framework that helps businesses manage risks. In the process of securing compliance, Steno was evaluated on our criteria for managing customer data based on three trust service principles:

• Security
• Availability
• Confidentiality

HIPAA’s overarching goal is to keep patients’ protected health information safe and secure, whether it exists in a physical or electronic form. 

Since its initial passage, several additions to HIPAA have required the critical attention and compliance of covered entities and business associates. For example, electronic health records and maintaining patient health information in electronic form led to the broader development of technology and digital health data storage and distribution platforms.

Steno partnered with Linford & Company LLP as our independent external auditor to report on the effectiveness of Steno’s controls against the SOC 2 Type II and HIPAA standards.

Securing SOC 2 Type II and HIPAA Compliance

Steno’s security was evaluated against SOC 2 Type II and HIPAA requirements. A Type II report is extraordinarily detailed and widely trusted because it evaluates security over a period of time versus looking at a snapshot only.

To issue its report, Linford & Company LLP examined Steno Connect, the Firm Dashboard, and Ops.

Steno Connect is a platform built specifically for remote legal proceedings. It combines state-of-the-art videoconferencing with seamless exhibit handling. Exhibits can be shared, opened, viewed, numbered, and annotated directly within the platform.

The Firm Dashboard allows users to search for past, current, and future jobs within their cases, manage their jobs, add services, view and pay invoices, and access produced job files such as transcripts, exhibits and video, all in one place.

Ops is Steno’s internal administrative tool for our staff to manage and monitor day-to-day operations. The key functions of Ops include scheduling and editing jobs, adding services when requested by clients, booking providers, generating and sending invoices, managing Firm Dashboard accounts, producing transcripts, and storing all of Steno’s job files. 

Steno’s technology offerings were found to be in compliance with SOC 2 Type II and HIPAA requirements.

The primary teams involved with obtaining our SOC 2 and HIPAA compliance were: Legal, People Operations, Engineering, and IT. However, everyone at Steno was engaged in one way or another, including security awareness and adherence to documented security policies due to this process.

Maintaining the safety and security of information has been a part of Steno’s foundation since the early days. Most of the effort during the audit went into formalizing some of our existing practices into cross-departmental policies involving people operations, legal, engineering and IT. 

Our Commitment to Saftey and Security

Our clients trust us with very sensitive info, including transcripts and videos from confidential proceedings. It is of the utmost importance for us to maintain the level of trust that we have worked hard to build.  

I have completed the same compliance process for other companies in the past. Historically, this process has been more painful because it took place via spreadsheets and all evidence had to be manually collected. At Steno, it is important for us to implement a system that continuously monitors our environment for compliance. We partnered with Vanta, and that served two primary purposes for us: 

1. It gives us peace of mind that if some system comes out of compliance, we are immediately notified so that we can correct the issue (instead of waiting for a manual check potentially several months later)
2. It helps to automate an otherwise manual process of collecting evidence for various controls, which ultimately enabled us to be ready for our SOC 2 and HIPAA assessment sooner than we otherwise would have been.

As Steno’s Chief Technology Officer, I knew we were following security best practices, but having a third-party company attest to the quality of standards that we had in place was vital for us.

By securing our SOC 2 Type II and HIPAA certifications, we want our clients to understand that we are not only passionately focused on creating new technology to help improve their litigation practice, but we are also completely committed to keeping their information safe and secure.