SOC 2 compliance isn't optional when you're handling sensitive data, especially in healthcare. But the audit process is notoriously painful: months of preparation, scattered evidence collection, and enough back-and-forth with auditors to make anyone rethink their career choices. Thoropass SOC 2 has become a popular search topic because the platform promises to cut through that pain with automation and guided workflows that replace spreadsheets and guesswork.

Thoropass (formerly Laika) offers a compliance platform that helps companies scope, prepare for, and complete their SOC 2 audits faster. It pairs software with in-house auditors, which means you're getting the tooling and the audit itself from one vendor. For teams building healthcare applications, where SOC 2 Type II is often a baseline expectation from hospital systems and health plans, understanding what Thoropass actually delivers, what it costs, and how the process works matters before you sign a contract.

At SoFaaS, we've gone through SOC 2 Type II certification ourselves to ensure our SMART on FHIR integration platform meets the security standards healthcare organizations demand. That experience gives us a grounded perspective on what compliance tools actually help versus what just looks good in a demo. This article breaks down Thoropass's pricing, the SOC 2 checklist you'll need to follow, and how the audit process works from start to finish, so you can decide if it's the right fit for your team.

What Thoropass SOC 2 means in practice

Thoropass SOC 2 combines compliance software with in-house auditors under one roof. Most companies pursuing SOC 2 certification manage two separate relationships: a readiness tool or consultant for preparation, and a separate CPA firm for the actual audit. Thoropass collapses those into a single vendor relationship, which removes a common source of friction where your prep work doesn't translate cleanly into what the auditor actually needs to see.

The platform and auditor model

Licensed CPA auditors at Thoropass conduct the official SOC 2 examination directly. This matters because the audit itself must be performed by an independent CPA firm to produce a valid SOC 2 report, and Thoropass's in-house audit team fulfills that requirement. You work inside their software to collect evidence, map controls, and track remediation tasks, while the same organization reviews that evidence and signs the final report.

When your compliance platform and your auditor share the same system, evidence gaps surface earlier, and you spend less time translating work from one tool into documentation a separate auditor can use.

Their software organizes your work into structured workflows that guide you from initial scoping through evidence collection to audit fieldwork. Instead of maintaining a spreadsheet of controls and chasing teammates for screenshots, you assign tasks inside the platform and track completion against a centralized dashboard your whole team can see.

What the software actually does

The platform maps your chosen Trust Services Criteria to specific controls, then prompts you to collect evidence for each one. If you select the Security criterion, Thoropass generates a list of control requirements (access reviews, encryption configurations, vendor risk assessments) and ties those requirements to the integrations you've enabled with tools like AWS, Google Workspace, or GitHub.

Those integrations pull evidence automatically where possible. Automated evidence collection covers common items like user access logs, multi-factor authentication status, and configuration settings pulled directly from connected systems. For controls that require manual evidence, such as policy documents, training records, and incident response tests, the platform flags those separately and tracks their completion status so nothing falls through.

How Thoropass differs from traditional audits

Traditional SOC 2 audits run on email and shared folders. You send evidence to an auditor, wait for questions, revise, and repeat over weeks. Thoropass centralizes that exchange inside the platform, so auditors flag missing items directly against specific controls rather than sending back a vague consolidated request list that you then have to decode.

The timeline difference is real. Traditional audit preparation for a first-time Type II audit typically spans six to twelve months across the readiness phase and the audit period itself. Thoropass advertises faster completion because their structured approach reduces the back-and-forth that normally drags out each phase. Your team sees exactly what evidence is needed upfront, and auditors access evidence as it's collected rather than reviewing a static package handed over at the end of the process.

Why SOC 2 matters for healthcare SaaS vendors

Healthcare organizations don't move fast on vendor approvals. Before a hospital system, health plan, or large provider group signs a contract with your company, their security and procurement teams will ask for a SOC 2 report. Without one, your deal stalls at the vendor review stage, regardless of how strong your product is. SOC 2 isn't just a checkbox on a questionnaire; it's a signal that your organization has implemented formal security controls and had them verified by an independent auditor.

Enterprise deals require a Type II report specifically

A SOC 2 Type I report confirms your controls exist at a point in time, but most enterprise healthcare buyers want a Type II report, which shows those controls operated effectively over a period, typically six to twelve months. This distinction matters because a Type I is relatively quick to obtain but rarely satisfies procurement requirements at hospital systems or health plans. Tools like Thoropass SOC 2 are designed to shorten the Type II audit cycle without cutting corners on what the report actually covers, which is what makes them worth evaluating if you're targeting enterprise healthcare contracts.

A Type II report gives your buyers evidence that your controls held up under real operating conditions, not just on the day you decided to get certified.

HIPAA alone isn't enough to win enterprise contracts

Many healthcare SaaS teams assume HIPAA compliance satisfies all security requirements from potential customers. It doesn't. HIPAA governs how you handle protected health information but doesn't require independent third-party verification of your security program. SOC 2 provides that third-party validation, and buyers know the difference. When a health system's security team reviews your vendor questionnaire response, citing SOC 2 Type II carries far more weight than a self-attested HIPAA compliance statement because the latter requires no external audit at all.

Healthcare buyers also use SOC 2 reports to evaluate specific controls that matter to them, such as access management, encryption standards, and incident response procedures. When you hand over your SOC 2 report, you're giving their team audited evidence on exactly those areas, which shortens their internal review process and moves your contract forward faster.

SOC 2 scope choices: criteria, systems, and vendors

Before you start any work in Thoropass or any other compliance platform, you need to decide what your SOC 2 audit actually covers. Scope decisions shape everything else: the controls you implement, the evidence you collect, and how long the process takes. Getting this wrong upfront means either over-investing in controls you don't need or producing a report that doesn't satisfy your buyers.

Choosing your Trust Services Criteria

The AICPA defines five Trust Services Criteria that a SOC 2 audit can cover: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security is mandatory for every SOC 2 report. The others are optional, and most companies starting out select only Security, sometimes adding Availability if they have uptime commitments in customer contracts.

Adding criteria beyond Security expands your control requirements significantly, so start with Security only unless your customers are specifically requesting additional criteria.

For healthcare SaaS vendors, Availability is often worth including because health system buyers care about uptime guarantees. Confidentiality becomes relevant if you handle sensitive business data beyond PHI. Privacy applies specifically to how you collect and use personal data, and it overlaps with HIPAA obligations in ways your legal team should review before you include it in your scope.

Defining your systems in scope

Your system boundary determines which infrastructure, applications, and processes the auditor examines. A narrower scope reduces the number of controls you need to satisfy, but buyers will scrutinize what you've excluded. Include any system that stores, processes, or transmits the data your service commitments apply to.

Map your architecture before you configure anything in a Thoropass SOC 2 engagement. Identify your production environment, your data pipeline tools, and any third-party services that handle customer data on your behalf. Systems you exclude from scope need a clear justification, and auditors will ask for one.

Evaluating subservice organizations

Subservice organizations are third-party vendors whose services fall within your system boundary, such as your cloud hosting provider or a managed database service. You have two options for handling them in your report: the carve-out method, which excludes their controls from your report, or the inclusive method, which incorporates their controls directly.

Most teams use the carve-out method and reference the vendor's own SOC 2 report as complementary evidence, keeping their own scope manageable.

Thoropass SOC 2 audit process step by step

The Thoropass SOC 2 audit process follows a structured sequence that moves you from initial setup through final report delivery. Knowing what each phase demands upfront helps you allocate team bandwidth accurately and avoid the scramble that typically derails first-time audits.

Phase 1: Scoping and onboarding

When you start, Thoropass guides you through defining your system boundary and Trust Services Criteria. You connect your existing tools, such as your cloud provider, identity management system, and code repository, using pre-built integrations. The platform uses those connections to auto-populate baseline control requirements relevant to your environment, so you're not starting from a blank template.

After scoping, Thoropass assigns you a dedicated compliance manager who reviews your architecture and flags any obvious gaps before you formally begin. This early review prevents surprises later in the process and helps your team understand what the audit period's evidence requirements will actually look like in practice.

Phase 2: Remediation and evidence collection

Once your controls are mapped, the platform generates a task list showing exactly what evidence you need and who is responsible for collecting it. Automated integrations pull evidence directly from connected systems for controls like multi-factor authentication enforcement, access provisioning logs, and encryption configurations.

For controls requiring manual evidence, such as policy approvals, security training completion, and vendor risk reviews, the platform tracks outstanding items on a centralized dashboard so nothing gets missed. Your team works through these tasks during the audit observation period, which typically runs between three and twelve months depending on the Type II window you've chosen.

The observation period length directly affects how useful your report is to buyers: a twelve-month period gives prospective customers stronger evidence of consistent control operation than a three-month window.

Phase 3: Audit fieldwork and report delivery

Once your observation period ends, Thoropass's in-house CPA auditors begin formal fieldwork. They review the evidence collected in the platform, request clarification on specific items directly through the tool, and test control effectiveness against the criteria you selected. Because the auditors have accessed your evidence throughout the process rather than receiving a single package at the end, fieldwork moves faster than in traditional audit engagements. You receive a final SOC 2 report you can share with customers once the examination is complete.

SOC 2 readiness checklist you can use today

Running a Thoropass SOC 2 engagement goes smoother when your team has already addressed the most common readiness gaps before the audit period starts. The items below reflect what auditors consistently examine, regardless of which platform you use. Work through these before you connect your systems and configure your scope, so you're building on a solid foundation rather than patching holes under time pressure.

Starting remediation before your audit observation period begins means you document controls that actually work, not controls you scrambled to put in place after the fact.

Policies and documentation

Written policies are the foundation of every SOC 2 audit. Auditors verify that your security program is formal and documented, not just practiced informally. Your policy library needs to cover the following areas at minimum:

• Information security policy covering access control, acceptable use, and data classification
• Incident response plan with defined roles and escalation paths
• Change management policy governing how production changes are approved and deployed
• Vendor management policy that outlines how you review third-party security practices
• Business continuity and disaster recovery plan with tested recovery procedures

Technical controls

The technical environment you operate needs to reflect the policies you've written. Auditors pull direct evidence from your systems to confirm these controls are active, so document every configuration you've implemented and keep that documentation current.

• Multi-factor authentication enforced across all systems that access customer data
• Encryption at rest and in transit for all environments in your system boundary
• Centralized logging with retention periods that meet your policy commitments
• Role-based access controls with quarterly access reviews documented and stored
• Vulnerability scanning integrated into your development and deployment pipeline

Ongoing operational requirements

Security awareness training needs to be completed by all employees on a documented schedule, not just at onboarding. You need records of vendor risk reviews, internal risk assessments, and any security incidents along with how your team responded to each one.

These operational records form the evidence auditors test against during fieldwork, and they're the items most teams underinvest in before their first audit. Unlike policies, which you write once and update periodically, operational evidence accumulates only through consistent execution over time, so starting early directly determines how clean your final report looks.

Thoropass SOC 2 pricing: typical ranges and drivers

Thoropass SOC 2 pricing isn't published on their website, and the number you see in a proposal depends heavily on your organization's size, scope, and audit timeline. Based on market reporting and customer accounts, most companies budget between $15,000 and $50,000 for a combined readiness and Type II audit engagement with Thoropass. Smaller startups with straightforward environments and a Security-only scope tend to land at the lower end. Larger companies with complex infrastructure, multiple criteria, or a longer audit observation period push toward the higher end.

Your total spend scales with the complexity of your system boundary, not just your headcount, so scoping accurately upfront is the most direct way to control cost.

What drives the cost up

Several factors push your total engagement cost higher, and understanding them before you request a quote helps you negotiate more effectively. The number of Trust Services Criteria you include beyond Security adds control requirements that take more auditor time to test, which raises the audit fee directly. A twelve-month observation period costs more than a three-month period for the same reason. If your environment includes many subservice organizations or custom-built infrastructure components with limited integration support, your evidence collection burden increases, which means more billable hours on both your side and the auditor's side.

• Multiple Trust Services Criteria selected beyond Security
• Longer observation windows (twelve months versus three)
• Large employee headcount requiring broader access review coverage
• Complex cloud environments with limited automated evidence collection
• First-time audit requiring more guidance from the compliance team

How to approach the pricing conversation

When you request a quote, come prepared with a clear system boundary description and a defined list of criteria you intend to include. Vendors price faster when they aren't estimating scope for you. Ask specifically whether the quoted price covers the full Type II audit report or separates readiness consulting fees from audit fees, since some proposals bundle these and others don't. Also confirm whether follow-on audits in subsequent years carry a renewal discount, because your second and third audits require significantly less remediation work than your first.

Quick wrap-up and next steps

Thoropass SOC 2 gives healthcare SaaS vendors a faster path to Type II certification by combining compliance software with in-house auditors under one vendor. The platform automates evidence collection, structures your readiness work, and keeps your team aligned on what's outstanding at every stage. Pricing runs $15,000 to $50,000 depending on your scope and timeline, and the biggest cost driver is the complexity of your system boundary, not your team size.

If your product connects to EHR systems, your buyers expect both SOC 2 Type II and HIPAA compliance before they'll move a contract forward. Getting your security program in order early shortens that sales cycle. At SoFaaS, we built our platform on SOC 2 Type II certified infrastructure so your team can skip the compliance groundwork and focus on building. See how SMART on FHIR integration works and connect to major EHR systems in days.