At MEG, protecting sensitive healthcare data is a core part of who we are. That’s why we’re thrilled to announce that MEG has achieved the prestigious SOC 2 Type II attestation, a globally respected benchmark that reflects our commitment to privacy, security, and operational integrity.
We recently spoke with Guvanch Meredov, MEG’s Head of Compliance and Data Protection Officer, to learn more about what this milestone means for MEG, our customers, and the wider healthtech ecosystem.
In this blog, you'll discover:
What is SOC 2 Type II and why does it matter?
What does SOC 2 Type II evaluate?
How MEG Achieved SOC 2 Type II
What does this mean for our customers and partners?
What’s next in MEG’s compliance journey
Final Reflection
What is SOC 2 Type II and why does it matter?
SOC 2 Type II is one of the highest security standards in SaaS. Developed by the American Institute of Certified Public Accountants (AICPA), it goes beyond a one-time review, instead, it evaluates how effectively an organisation operates its data protection and security controls over 12 months.
While SOC 2 Type I assesses design at a single point in time, Type II proves that those controls are consistently implemented over months of real-world operation.
“SOC 2 Type II shows that our controls don’t just exist on paper, they’re consistently applied in real operations.”
For healthcare providers and regulated organisations working with us, this is a meaningful assurance - MEG can securely manage their sensitive data at scale with the highest standards of protection.
What does SOC 2 Type II evaluate?
The audit evaluates MEG’s controls across five key trust service principles:
Security — Protecting data against unauthorised access
Availability — Ensuring systems are reliable and operational
Confidentiality — Keeping sensitive information private
Processing Integrity — Ensuring systems operate correctly and without error
Privacy — Safeguarding personal data in line with regulations
The scope included our cloud infrastructure, encryption protocols, access controls, incident response, and more, providing a thorough evaluation of both technical and procedural safeguards.
How MEG Achieved SOC 2 Type II
Our attestation covers June 2024 through May 2025, and was the result of a sustained, company-wide effort. The journey included:
Scoping and defining systems under audit
Implementing and refining controls aligned with trust service criteria
Rigorous internal readiness checks
Extensive evidence gathering to demonstrate compliance in practice
Third-party validation and testing
This builds on MEG’s existing ISO 27001 certification and GDPR adherence, enabling us to maintain a high standard of trust and transparency.
What does this mean for our customers and partners?
Whether you're an existing customer or evaluating MEG, this attestation brings key advantages like:
Independent validation of our ability to manage sensitive data securely
Alignment with major compliance frameworks — including GDPR, ISO 27001, Cyber Essentials, and the NHS DSPT
Faster procurement and onboarding, thanks to verifiable third-party assurance
Increased credibility with public sector buyers, supported by our UK G-Cloud 14 listing
Clients can also request executive summaries, audit reports, or attestations to support their own compliance requirements.
“For our customers, it provides independent assurance that MEG can safely manage, process sensitive healthcare data at scale”
What’s next in MEG’s compliance journey
SOC 2 Type II attestation is a major milestone but not the finish line. MEG is committed to ongoing compliance through:
Annual ISO 27001 and SOC 2 Type II surveillance audits
Biannual penetration tests and vulnerability scans
Continuous staff training and policy reviews
Automated real-time monitoring of security controls
Regular GDPR Data Protection Impact Assessments (DPIAs) and related processes
With growing interest in US and international markets,MEG is aligned with HIPAA requirements and is scheduled for an external audit to validate compliance in Q4 2025.
Final Reflection
SOC 2 Type II is more than a logo or a line on a slide. It reflects the reality that when organisations trust MEG, they’re trusting us with something sacred—the safety, privacy, and dignity of people’s health data.
We take that responsibility seriously. And now, we have the audit to prove it.
Want to review our SOC 2 report? Reach out at dataprotection@megit.com
If you are interested in discovering how MEG can meet your data protection, operational, and regulatory needs, our team is here to help.