Sunny’s SOC 2 Compliance Certification: What It Means for Us and for You

At Sunny, we’re in the business of sensitive data. If a bad actor were to get their hands on it, it wouldn’t just be birthdays or email addresses. We safeguard financial and health data—the kind of information that, in the wrong hands, could cause real harm. That’s why protecting it is non-negotiable for us. 

I’ve been working in startups for a long time. Startups are, by their nature, about moving fast and innovating. But on my teams, security has never been something that’s up for debate. You don’t build trust by cutting corners, and trust is the foundation of everything we do. 

Today, I’m thrilled to share that Sunny has officially earned its System and Organization Controls (SOC) 2 Type II certification, the gold standard for data security. 

So, why does this matter, and what does it mean for the future of Sunny? Let’s get into it.  

What is SOC 2 

When a company contracts with a SaaS provider, they are essentially doing a trust fall. Once they begin sharing their data that enables users to access an application or platform over the internet, it’s up to the provider to keep it in safe hands. 

But how do you know who you can trust with this information? Since the 1970s there have been efforts to establish audit standards, with SOC 2 making its debut in the 2010s. The American Institute of Certified Public Accountants (AICPA) developed SOC 2 to vet companies and make sure they are as safe as they claim. The certification holds organizations accountable for controls relevant to security, availability, integrity, confidentiality, and privacy 

There are two types of SOC 2 certifications. 

SOC 2 Type I 

Type I evaluates a company’s security controls at a certain point in time, usually one day. This is widely regarded as a good starting point, but it is just that—a starting point. 

SOC 2 Type II 

Type II is not just a snapshot of Sunny’s controls on a random Tuesday. Often, this certification takes place over a period of six months to a year and evaluates how the controls perform over time. It takes a lot of planning, effort, and money. 

For us at Sunny, it was always clear which certification path we would pursue. It’s a reflection of the rigorous standards we uphold every day to ensure our platform is as safe and secure as possible for our clients and their users. 

Why you should care 

Compliance is not optional for payers. Health plans and employer groups are legally obligated to protect the privacy of their plan beneficiaries. Managed care organizations face even higher regulatory standards. In an era where breaches and data mishandling can have devastating consequences, choosing the right partner to administer benefits has never been more important. SOC 2 certification provides the proof stakeholders need to feel certain that Sunny is actively protecting their data at every level. 

For plan beneficiaries, this translates into peace of mind. Their financial and health data is treated with the care it deserves. This confidence enables beneficiaries to engage more fully with their benefits, whether they’re using rewards, tracking their health journey, or swiping their card. When they know their information is in safe hands, they can focus on their health and wellness instead of worrying about their privacy. 

What’s next for Sunny? 

Security is a marathon, not a sprint.  

It’s more than slapping a badge on our website and calling it a day—it's an ongoing effort. In fact, SOC 2 certifications are only good for 12 months, which means we’ll be back at it this time next year to ensure our platform meets the highest standards. Later this year, we will obtain our HITRUST certification. HITRUST is a widely recognized benchmark in healthcare data security, and achieving it means meeting some of the most rigorous requirements in the industry. We take safety as seriously as we take our mission to simplify the healthcare experience.  

This milestone also comes on the heels of our recent partnership with Costco, which further solidifies our commitment to providing a safe and secure platform for managing healthcare benefits, payments, and rewards. Together, we’re making it easier for people to maximize their benefits, save money, and improve their health—while also giving them the peace of mind that their personal data is well protected. 

Looking ahead, we’ll continue to build on this momentum, deepening relationships with partners who share our vision of a more accessible healthcare experience. As we continue to innovate and grow, we’re committed to doing it the right way: with trust, transparency, and security every step of the way. 

About the author:

Sashi Desikan brings over 20 years of experience in SaaS and PaaS to his role as Head of Technology at Sunny. Previously, he served as SVP of Engineering at Welltok, leading data-driven initiatives to optimize consumer health engagement, and as a Partner at Assabet Ventures, where he advised clients on product strategy and digital transformation.

A technology leader with expertise in cloud computing, machine learning, and predictive analytics, Sashi is passionate about building teams and solutions that drive customer success. At Sunny, he leads the charge of creating innovative, impactful healthcare engagement tools.