SOC 2, ISO 27001, GDPR, and HIPAA, Explained for Software Buyers
Four acronyms show up on nearly every security review, and they get conflated constantly. Here is what each one really means, what it does not mean, and how to evaluate a vendor honestly. This is general guidance, not legal advice.
If you have ever sat on either side of a software purchase, you have seen the same four acronyms cycle through the conversation: SOC 2, ISO 27001, GDPR, HIPAA. They get treated as interchangeable badges, as if collecting all four means a vendor has won some compliance video game. They are not interchangeable. They answer different questions, they are issued by different kinds of authorities, and confusing them leads to bad buying decisions.
I want to walk through each one the way I would explain it to a colleague over coffee, not the way a glossary would. The goal is for you to read a vendor's security page and understand what is actually being claimed. A quick disclaimer before we start: this is a general buyer's explanation, not legal advice. For anything binding, talk to counsel who knows your jurisdiction and industry.
SOC 2: an audit of how you operate
SOC 2 is a report produced by an independent auditing firm. It examines whether a service organization actually follows its own stated controls across areas like security, availability, and confidentiality. The crucial distinction is between Type I and Type II. A Type I report says the controls were designed appropriately at a single point in time. A Type II report says an auditor watched those controls operate over a window, usually six to twelve months, and confirmed they held up.
Type II is the one that carries real weight, because anyone can write a good policy on paper. Watching it function for the better part of a year is what proves discipline. When a vendor says they are SOC 2 certified, ask which type, ask for the report under a non-disclosure agreement, and check the observation period. A report covering a window that ended two years ago is a yellow flag worth a question.
ISO 27001: a certified management system
ISO 27001 is an international standard for running an information security management system, which is a fancy way of saying a structured, ongoing program for identifying risks and managing them. Unlike SOC 2, it results in a formal certificate issued by an accredited body, and it is recognized globally, which makes it especially useful for buyers outside North America.
Where SOC 2 tends to read as an attestation report, ISO 27001 reads as a certification that the organization has a living process. The two overlap heavily in practice, and many serious vendors hold both because different customers in different regions ask for different proof. If you operate internationally, the presence of ISO 27001 alongside SOC 2 is a good signal that a vendor has invested in being credible across markets.
GDPR: a law about personal data
Here is where buyers most often go wrong. GDPR is not a certification you can earn. It is a law in the European Union that governs how organizations handle the personal data of people in the EU. There is no official GDPR certificate to hang on a wall. When a vendor says they are GDPR compliant, what they mean is that their practices are designed to meet the law's requirements: lawful basis for processing, honoring data subject rights, appropriate security, breach notification, and a willingness to sign a data processing agreement.
So the right question is not whether a vendor is certified for GDPR, because nobody is. The right questions are whether they will sign a data processing agreement, where they store data, who they share it with, and how they handle requests from individuals to access or delete their data. The law applies to anyone handling EU residents' data regardless of where the company sits, so do not assume it is only a European concern.
HIPAA: a US framework for health information
HIPAA is a United States framework governing protected health information. Like GDPR, it is not a certificate. The practical artifact that matters in a vendor relationship is the Business Associate Agreement, often shortened to BAA. If your organization handles protected health information and you want a vendor to process it, that vendor needs to be willing and able to sign a BAA and to operate under HIPAA's safeguards.
A vendor claiming to be HIPAA compliant without offering a BAA is making an empty statement. The agreement is the thing that actually binds them to handle health data appropriately. If you are in healthcare or adjacent to it, the BAA question is the one that separates real readiness from marketing.
How to read the claims like a pro
Once you understand what each one is, evaluating a vendor gets much simpler. You stop collecting badges and start asking the question behind each badge.
- For SOC 2, ask for the Type II report and check the observation period and the scope.
- For ISO 27001, ask for the certificate and confirm which entity issued it and what it covers.
- For GDPR, ask whether they will sign a data processing agreement and where data is stored.
- For HIPAA, ask whether they will sign a BAA, and do not accept the word compliant without it.
- For all of them, ask when the evidence was last refreshed. Stale attestations are a warning.
Why one foundation beats four bolt-ons
The vendors that handle this well do not treat each framework as a separate project bolted onto a fragile product. They build one well-governed foundation, then map it to the frameworks customers care about. That is far more credible than a patchwork, because the controls reinforce each other instead of competing for attention. When you are evaluating, a vendor that can speak fluently about all four and show you the artifacts is telling you something real about how they run.