INTERNAL ONLY - Certifications and Security at a Glance

Link to Certifications and Security at a Glance

Base information in the link is provided below, but use the link for an easier to follow format.

Security Certifications & Standards

Lightning Step Technologies + Sunwave Health | Last Updated: December 2025

Elevating care through security excellence. Lightning Step maintains industry-leading security certifications and
compliance standards to protect patient data and ensure regulatory adherence. These independent, third-party
validations demonstrate our unwavering commitment to information security, AI governance, and healthcare
compliance.

ISO 27001:2022
CERTIFIED MARCH 2025
Information Security Management System (ISMS) - The
international gold standard for information security. ISO
27001 certification proves we maintain a comprehensive,
audited security program covering people, processes, and
technology.
114 security controls across 93 categories
Annual surveillance audits by Intercert
Risk management, access controls, encryption, incident
response

ISO 42001:2023
CERTIFIED MAY 2025
AI Management System (AIMS) - The world's first
international standard for responsible AI governance.
Lightning Step is industry-first among behavioral health
EHR providers to achieve this certification.
Ensures AI transparency, accountability, and human
oversight
Validates responsible AI development lifecycle
Addresses emerging AI regulatory requirements

SOC 2 Type II
CERTIFIED DECEMBER 2025 (LIGHTNING STEP + SUNWAVE)
Service Organization Control 2 - Independent audit of
security controls over a 12-month observation period. SOC
2 Type II validates that our controls aren't just designed
well—they operate effectively over time.
All 5 Trust Service Criteria: Security, Availability,
Processing Integrity, Confidentiality, Privacy
12-month continuous monitoring (not point-in-time)
Audited by licensed CPA firm

ONC Health IT Certification
CERTIFIED UNDER §170.315 (LIGHTNING STEP + SUNWAVE)
Office of the National Coordinator - Federal certification
required for EHR systems to participate in CMS incentive
programs, Meaningful Use, and MIPS reporting. Ensures
interoperability and clinical quality measures.
Certified by ONC-ACB (Drummond Group)
Annual attestations and Real World Testing
Supports USCDI v1/v2 data exchange

Security Certifications & Standards

Lightning Step Technologies + Sunwave Health | Last Updated: December 2025

HIPAA Compliance
100% COMPLIANT (LIGHTNING STEP + SUNWAVE)
Health Insurance Portability and Accountability Act -
Federal law protecting patient health information. Lightning
Step implements all 54 HIPAA Security Rule standards,
including administrative, physical, and technical
safeguards.
Business Associate Agreements (BAAs) with all
customers
AES-256 encryption at rest, TLS 1.3 in transit
Role-based access controls and comprehensive audit
logging
Annual risk assessments and security training

42 CFR Part 2
FULLY COMPLIANT (LIGHTNING STEP + SUNWAVE)
Substance Use Disorder Privacy - Federal regulation
providing enhanced privacy protections for substance use
disorder (SUD) treatment records. Stricter than standard
HIPAA requirements.
Separate consent workflows for Part 2 records
Enhanced access controls and audit trails
Critical for addiction treatment facilities

EPCS Certification
CERTIFIED NOVEMBER 2025
Electronic Prescribing of Controlled Substances -
DEA-approved system for prescribing Schedule II-V
controlled medications electronically. Certified through
DoseSpot integration under 21 CFR Part 1311.
Drummond Group certified
Two-factor authentication for DEA compliance
Supports all DEA security requirements

HITRUST CSF
TARGET Q4 2026 (LIGHTNING STEP + SUNWAVE)
Health Information Trust Alliance - Comprehensive
healthcare security framework combining ISO 27001,
NIST, HIPAA, and other standards. Currently 93% control
coverage; certification planned for Q2 2026.
Harmonized framework (20+ standards)
18-month validation process underway
Builds on existing ISO 27001 foundation

Additional Compliance: AWS infrastructure • US-only data storage • GDPR readiness • State data privacy laws (CCPA, VCDPA,

CDPA, CTDPA, UCPA, MHMDA)

Questions about our security certifications? Contact compliance@lightningstep.com