INTERNAL ONLY - Security and Compliance Internal FAQ and Talking Points

Link to Internal FAQ and Talking Point Guide

INTERNAL USE ONLY

Security & Compliance

Internal FAQ & Talking Points

Lightning Step Technologies + Sunwave Health

For Customer Success, Implementations & Sales Teams

How to Use This Guide This document helps you confidently answer customer security and compliance questions. Each section includes: Customer-facing answers - What you can tell customers Internal context - Background you need to know Objection handling - Common pushback and responses Escalation paths - When to loop in Compliance

Quick Contacts:

• Security Questions: compliance@lightningstep.com
• Document Requests: Daniela Atanasovska
• Urgent Escalations: Dustin Cirrincione or Martin Ignatovski
• Questionnaire Turnaround: 5-7 business days (standard)

Certification Status at a Glance

Use this table to quickly answer 'what certifications do you have?' questions:

Certification	Status	What to Say
ISO 27001:2022	✓ Certified	"Certified March 2025, audited by Intercert"
ISO 42001:2023	✓ Certified	"Industry-first for behavioral health EHR"
SOC 2 Type II	✓ Certified	"All 5 Trust Service Criteria covered"
ONC Health IT	✓ Certified	"Certified EHR under §170.315"
EPCS certification for controlled substance prescribing through our integration with DoseSpot (Drummond Group certified under 21 CFR 1311)	✓ Certified	"Drummond Group certified, Nov 2025"
HIPAA	✓ 100% Compliant	"All 54 Security Rule standards"
42 CFR Part 2	✓ Compliant	"Full SUD privacy protections"
HITRUST CSF	Target Q4 2026	"On our roadmap, 93% control coverage today"

General Security Questions

These are the most common questions you'll hear on sales calls, implementation kickoffs, and support tickets. Master these first.

"Is Lightning Step secure?" / "Can I trust you with my patient data?"

✓ What to Say:

"Absolutely. Security isn't an add-on for us - it's built into everything we do. We hold ISO 27001 and SOC 2 Type II certifications, maintain 100% HIPAA compliance, and we're one of the first behavioral health EHR providers with ISO 42001 certification for AI governance. Over 3,000 facilities trust us with their data."

Internal Context:

• This is our #1 competitive differentiator vs. smaller EHR vendors
• The ISO 42001 certification is rare - most competitors don't have it
• SOC 2 Type II covers a 12-month observation period (not just a point-in-time check)

"What certifications do you have?"

✓ What to Say:

"We hold ISO 27001 for information security, ISO 42001 for AI governance, SOC 2 Type II covering all five Trust Service Criteria, ONC Health IT certification, and EPCS certification for controlled substance prescribing through our integration with DoseSpot (Drummond Group certified under 21 CFR 1311). We're also 100% HIPAA compliant and fully support 42 CFR Part 2 for substance use disorder records."

What NOT to Say:

• Don't say "HIPAA certified" - HIPAA doesn't have a certification, only compliance
• Don't promise HITRUST - it's on our roadmap for Q4 2026 but not certified yet

"Can I see your SOC 2 report?" / "I need proof of your certifications"

✓ What to Say:

"Of course! Our SOC 2 Type II report requires a mutual NDA, which is standard practice. I'll connect you with our compliance team to get those documents."

Internal Context:

• Email compliance@lightningstep.com with customer name and request
• NDA typically uses our template; customer template OK if reviewed by legal
• Turnaround: 1-2 business days for standard docs, same day if urgent deal

Data & Privacy Questions

These come up frequently during security reviews and implementation. Know these cold.

"Where is my data stored?"

✓ What to Say:

"All data is stored in secure AWS data centers in the United States and your data never leaves the US."

Internal Context:

• This is important for customers with state data residency requirements
• Some government contracts require US-only storage - we meet this

"Is my data encrypted?"

✓ What to Say:

"Yes, all data is encrypted both at rest using AES-256 encryption and in transit using TLS 1.3. Backups are also fully encrypted."

If They Ask for More Detail:

• Key management: AWS KMS (Key Management Service)
• Minimum TLS version: 1.2 (we prefer 1.3)
• Database encryption: Transparent Data Encryption (TDE)

"Do you sell our data?" / "Who has access to our data?"

✓ What to Say:

"We never sell patient data, period. Access is strictly controlled using role-based permissions - our staff only access what they need to support you. All access is logged and auditable."

HIPAA & Healthcare Compliance

"Are you HIPAA compliant?" / "Do you sign BAAs?"

✓ What to Say:

"Yes, we're 100% HIPAA compliant across all 54 Security Rule standards. We sign BAAs with every customer before go-live - it's part of our standard process. Our BAA also covers 42 CFR Part 2 for substance use disorder records."

Internal Context:

• Do customers want to use their own BAA? Send to compliance for review (2-3 days)
• Never go live without a signed BAA on file

"What is 42 CFR Part 2?" / "Do you support Part 2?"

✓ What to Say:

"42 CFR Part 2 provides extra privacy protections for substance use disorder treatment records - it's stricter than standard HIPAA. We're fully compliant, with separate consent workflows, enhanced access controls, and complete audit trails for Part 2 records. This is essential for addiction treatment facilities."

Why This Matters (Sales Angle):

Many EHR vendors don't properly support Part 2. This is a key differentiator for behavioral health and addiction treatment prospects. If they treat SUD, emphasize this.

"Are you ONC certified?" / "Can we use you for Meaningful Use?"

✓ What to Say:

"Yes, we're ONC Health IT certified under §170.315. This means you can use Lightning Step for CMS incentive programs, MIPS reporting, quality measures, and Meaningful Use attestation."

"Do you support EPCS?"

✓ What to Say:

"Yes! Lightning Step supports EPCS through our integrated DoseSpot 8.0 module, which is fully certified for electronic prescribing of controlled substances. Our integration has been reviewed and verified by Drummond Group to meet 21 CFR Part 1311 requirements for Schedule II-V prescriptions, including two-factor authentication and all DEA security requirements."

Internal Context:

• DoseSpot is our e-prescribing partner - implementation team handles setup

AI Feature Questions

AI concerns are increasing. Be prepared to address these - they come up more and more on sales calls.

"Does Lightning Step use AI?" / "Is AI making clinical decisions?"

✓ What to Say:

"We use AI for administrative tasks - not clinical decisions. Our AI helps with documentation, claim error detection, and transcription. Clinical decisions are always made by your licensed providers. AI assists but never decides."

Key Differentiator:

We're ISO 42001 certified - the first international standard for AI management. This means an independent auditor verified we develop trustworthy AI, maintain transparency and ensure human oversight. Most competitors can't say this.

"Can we turn off AI features?"

✓ What to Say:

"Yes, AI features can be enabled or disabled based on your preferences. Your CSM can help you configure what's right for your organization."

"What about state AI laws?" (Colorado, Texas, California)

✓ What to Say:

"We monitor emerging AI regulations. Our ISO 42001 framework positions us well for compliance with both current and future AI legislation."

Internal Context:

• If customer needs detailed state-by-state analysis, escalate to compliance@lightningstep.com
• We have AI Impact Assessments on file for our major AI systems

Common Objections & Responses

Use these responses when customers push back or compare us to competitors.

❓ "[Competitor] has HITRUST, why don't you?"

"Great question. HITRUST is on our roadmap for Q2 2026. In the meantime, we have ISO 27001 plus SOC 2 Type II, which together cover more controls near all HITRUST alone. We also have ISO 42001 for AI governance - something most HITRUST-certified vendors don't have."

❓ "Your competitor says they're more secure"

"Ask them to show you their SOC 2 Type II report and ISO certifications. We're happy to share ours. We hold more security certifications than most behavioral health EHR vendors, and we're transparent about our controls."

❓ "We need to do a security assessment / send you a questionnaire"

"Absolutely - we welcome that. We respond to security questionnaires regularly and have pre-completed responses for SIG, CAIQ, HECVAT, and custom formats. Email it to compliance@lightningstep.com and we'll typically turn it around in 5-7 business days."

❓ "We've had bad experiences with vendor security in the past"

"I understand that concern completely. That's exactly why we invest so heavily in independent certifications - ISO 27001, SOC 2 Type II, ISO 42001. These aren't self-assessments; they're verified by independent auditors. Would it help if I walked you through our security documentation?"

When to Escalate

You can handle most questions with this guide. Escalate these scenarios:

Scenario	Escalate To	Turnaround
Security questionnaire / vendor assessment	compliance@lightningstep.com	5-7 business days
Request for SOC 2 report or certificates	compliance@lightningstep.com	1-2 business days
Custom BAA review	compliance@lightningstep.com	2-3 business days
Customer wants on-site audit	Martin/Dustin	Schedule discussion
Suspected security incident reported by customer	IMMEDIATE: Dustin/Daniela/Martin	Same day
Detailed AI governance / state law questions	compliance@lightningstep.com	1-2 business days
Competitor claims we're not compliant	compliance@lightningstep.com	Same day

INTERNAL USE ONLY - DO NOT SHARE WITH CUSTOMERS

Last Updated: December 2025 | Version 1.0

Questions? Slack #compliance or email compliance@lightningstep.com