Are you a patient needing help accessing your Covid test results? Give our support team a call at 317-794-3900 and we'd be happy to assist or check out our patient portal guide here.


Schedule a Demo

Seeing is believing, let us show you the power of GoRev

Quick Contact

Or to Schedule a demo call our sales team at

(317) 794-3929

Security and Compliance

for GoRev Data Management.

GoRev Security

Security compliance certifications and regulations.

SOC 1 Type 2

GoRev Practice Management and Revenue Cycle Management system is SOC 1 Type 2 certified. This SOC 1 Type 2 report covers controls relevant to Financial Reporting (SSAE-18). This report is used by customers undergoing financial statement audits and those who require compliance with the Sarbanes-Oxley Act or similar regulation. It reports on the effectiveness of controls in achieving stated objected throughout a specified period and was formerly known as SAS 70.


SOC 2 Type 2

GoRev Practice Management and Revenue Cycle Management system is SOC 2 Type 2 certified. Our SOC 2 Type 2 report covers controls related to Security and Confidentiality. This report is used by customers who require confidence in the critical business processes and procedures to complement compliance with the Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Digital Security Standard (PCI-DSS), and other industry or government regulations with relevant requirements.


HIPAA Compliant

GoRev is a fully HIPAA compliant solution and takes your medical privacy and security needs seriously! We will enter into a Business Associate Agreement (BAA) with you.

Security Measures

  • Data encryption in transit via TLS1.3
  • Data encrypted at rest
  • Multi factor authentication
  • Granular role based permission management
  • Annual penetration testing is performed by a third party
  • Vulnerability scanning is performed regularly by a third party
  • SOC 2 / HITRUST certified Data Center

Security FAQs

Where does my data live?

GoRev’s infrastructure is hosted exclusively by Expedient and all data in transit is encrypted using the most up-to-date protocols (specifically TLS V1.2 and AES-256).

How do you ensure no other client sees my data?

Customers are provisioned with dedicated networks, database clusters, and compute nodes. This micro segmentation strategy ensures Customer data is separate and secured at all times.

How do you assess third parties before and during their service?

Any vendor with the potential to access sensitive client data is required to provide an external audit or, at a minimum, submit to a risk interview and demonstrate best security practices. These artifacts are refreshed annually to ensure no lapse in oversight. Moreover, each vendor is required to sign a Business Associate Agreement (BAA) and contractually commit to data security practices.

Do you conduct a risk assessment at least annually?

Yes. We look at changes in the product line, the regulatory environment and the cyber threat. We assign risk scores and document an executive leadership review at least quarterly. These steps are verified in the annual SOC 2 audit.

Do you respond to requests for vendor risk assessment questionnaires?

We utilize the SecurityStudio suite for various risk assessment strategies internally and can provide our general assessment in the S2Vendor format at no additional cost once an NDA has been executed. Professional and Enterprise Clients may request we complete custom vendor risk assessment questionnaires at no additional cost. Other license types may request custom vendor risk assessments for a nominal fee covering the required labor.

Describe your data backup and recovery system.

We utilize database clusters consisting of a minimum of 3 nodes per cluster with a failure capability of one node per cluster. Backups are stored redundantly both on premise and offsite in a separate geographic zone from the primary site. We test backups regularly to ensure they are both complete and able to be restored. The recovery point objective is 24 hours with a recovery time objective of 4 hours.

Do you have an incident response program?

GoRev maintains a comprehensive incident classification and response procedure. While highly unlikely, should a breach occur GoRev has a third party security firm on retainer capable of initiating immediate incident response and necessary forensic analysis.

Do you perform security reviews during development?

Security is baked into the coding process, and a number of checks are performed to validate new code prior to deployment. Both manual and automated code scanning is performed to identify potential vulnerabilities prior to deploying new GoRev versions.