OpenVPN is proud to announce successful completion of two critical certifications: the System and Organization Controls (SOC) 2 Type 2 Certification examination, and HIPAA compliance. SOC 2 Type 2 certification was completed on November 26, 2024, and HIPAA compliance was completed on October 22, 2024.
"Our team has worked tirelessly to complete a number of security audits,” says Francis Dinha, Co-Founder and CEO of OpenVPN. “As a result, OpenVPN has received our SOC 2 Type 2 certification, as well as our HIPAA compliance certification. These audits highlight what tens of thousands of businesses already know — security and privacy are priority number one for OpenVPN."
In order to meet the SOC 2 standards, OpenVPN demonstrated strict information security practices, policies, procedures, and operations standards for security, availability, and confidentiality over a period of six months. This audit involved multiple teams and departments within OpenVPN.
SOC 2 is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA), with the primary purpose of ensuring that third-party service providers store and process client data in a secure manner.
SOC 2 Reports help companies achieve that goal and are considered the “gold standard” for security compliance, internal processes, and organizational compliance awareness in SaaS companies. They require periodic maintenance and can take as long as a year to obtain. These reports provide industry-wide acknowledgment that a company adheres to “trust service principles” such as Security and Confidentiality.
“OpenVPN is focused on maintaining the highest levels of security around our products and customers,” says Brian Litzinger, Head of Security for OpenVPN. “We have invested substantial time to reduce the compliance burden for our customers. To that end we are excited to announce that OpenVPN Inc., Access Server, and CloudConnexa are SOC 2 Type 2 Compliant AICPA certified.”
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, or HIPAA, specifically focuses on the safeguarding of personal health information, or PHI.
Compliance is mandated to all organizations defined by HIPAA as a covered entity and business associate — in other words, healthcare providers and companies who can access healthcare data, like e-charting platforms. This rule also applies to anyone who may interact with health data in any way, even if that data is only in transit via your company (like a VPN).
The HIPAA compliance assessment reviewed the use, disclosure, and accessibility of PHI. The scope of this review included OpenVPN, Inc.'s policies and procedures related to HIPAA Compliance, as well as OpenVPN, Inc.'s information system(s) and platform(s) maintaining PHI.
The requirements of the HIPAA Security Rule are organized according to safeguards, standards, and implementation specifications, including:
Compliance also ensures that businesses meet the requirements of the Breach Notification Rule as formalized by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Rule of 2013.
Gaining our voluntary SOC 2 security certification is just one of our many efforts to maintain a secure environment for our users. OpenVPN’s CloudConnexa and Access Server are built on the OpenVPN protocol, which is continually evaluated for vulnerabilities and exposures.
Transparency is critical in keeping your business secure. OpenVPN is happy to share our current and past security reports, including our past vulnerabilities and advisories.
OpenVPN is continually seeking security validation, including ongoing SOC 2 compliance. To get a copy of OpenVPN’s SOC 2 report, reach out to a member of the OpenVPN team here.
You can download a copy of the HIPAA report here.
To learn more about OpenVPN’s security protocols, read up on our latest security advisories.