"*" indicates required fields

This field is hidden when viewing the form
This field is hidden when viewing the form

Solutions & Products Our Influence Case Studies About Contact Us
Solutions
Pricing Research New Product Research Communities Segmentation Brand Equity Research Satisfaction & Loyalty
Products & Methods
Conjoint Expertise Bracket™ Two Dimensional Max-Diff (2DMD)™ Agile Suite™
Blog Relationship with Academia TRC Events White Paper Library
Our Team TRC Clients Key Industries Testimonials Careers Data Security Fraud in Surveys
Data Security at TRC Insights

HITRUST CSF Certified and SOC 2 Audited

TRC Insights holds two of the most rigorous independent validations of data security available to a market research firm: HITRUST CSF Certification and a SOC 2 audit.

Together, they give our Fortune 500, healthcare, fintech, pharma, CPG, and utility clients verified assurance that their respondent data, study designs, and competitive intelligence are protected by best-in-class controls.

HITRUST CSF Certification

TRC has been certified by an authorized third-party HITRUST assessor and renews that certification on the published HITRUST cycle. The HITRUST Common Security Framework is widely regarded as the most prescriptive and comprehensive information security framework available, harmonizing the requirements of HIPAA, NIST, ISO 27001, COBIT, PCI DSS, GDPR, and other major regulations into a single benchmarked standard.

Achieving certification means TRC has demonstrated — across 19 control domains and a granular set of control requirements — that we appropriately manage the regulatory, contractual, and stakeholder expectations associated with sensitive data.

SOC 2 Attestation

TRC also undergoes a SOC 2 examination conducted annually by an independent CPA firm under the AICPA’s Trust Services Criteria. The audit evaluates the design and operating effectiveness of our controls across security, availability, and confidentiality.

The resulting SOC 2 report is the standard documentation requested by enterprise procurement and information-security teams during vendor onboarding, and it is available to qualified clients under NDA.

Why Both?

SOC 2 confirms that our controls operate as we describe them. HITRUST certifies that those controls meet a globally benchmarked standard. Together, they provide research buyers with assurance that is both comprehensive (HITRUST) and continuously attested (SOC 2) — covering the full set of data-security questions InfoSec and procurement teams ask of any third-party research partner.

What this means for our clients

  • Verified protection of personally identifiable information (PII), protected health information (PHI), and confidential commercial data
  • Streamlined third-party risk assessments — our SOC 2 report and HITRUST certification letter satisfy the majority of vendor-risk questionnaires on first request
  • Alignment with HIPAA, NIST 800-53, ISO 27001, GDPR, PCI DSS, and other major frameworks
  • Annual independent review on documented audit cycles

Clients can request our current SOC 2 report and HITRUST certification letter through their TRC account team.

 

Frequently Asked Questions

Q1. Is TRC Insights HITRUST CSF Certified?

Yes. TRC Insights holds active HITRUST CSF Certification, validated by an authorized HITRUST third-party assessor. Certification confirms that TRC’s information security program meets the prescriptive control requirements of the HITRUST Common Security Framework across 19 control domains.

Q2. Does TRC Insights have a SOC 2 report?

Yes. TRC undergoes an annual SOC 2 examination performed by an independent CPA firm under the AICPA’s SSAE 18 standards. The audit covers the security, availability, and confidentiality Trust Services Criteria, and the resulting SOC 2 report is available to qualified clients under NDA.

Q3. What is the difference between HITRUST and SOC 2?

SOC 2 is an attestation report issued by a CPA firm — the auditor expresses an opinion on whether the controls TRC defines meet the AICPA Trust Services Criteria. HITRUST is a certification — an Authorized External Assessor evaluates TRC’s controls against the HITRUST CSF’s prescriptive, predefined control set, and HITRUST issues a pass/fail certification. SOC 2 is principle-based and flexible; HITRUST is prescriptive and benchmarked. The two are complementary: SOC 2 confirms TRC’s controls operate as described; HITRUST certifies they meet a globally recognized standard.

Q4. Why does TRC Insights maintain both HITRUST and SOC 2?

Because they answer different questions. HITRUST certifies that TRC’s controls meet a globally benchmarked standard mapped to 40+ regulations including HIPAA, NIST, ISO 27001, GDPR, and PCI DSS. SOC 2 attests, through an independent CPA opinion, that those controls operate effectively over time. Holding both lets TRC satisfy InfoSec and procurement requirements across healthcare, pharma, fintech, CPG, and utility clients without separate one-off questionnaires.

Q5. Does TRC Insights comply with HIPAA?

Yes. TRC’s HITRUST CSF Certification incorporates the HIPAA Security Rule and Privacy Rule requirements, and TRC executes Business Associate Agreements (BAAs) with healthcare clients as required. HITRUST is widely accepted in the healthcare industry as evidence of robust HIPAA-aligned safeguards for protected health information (PHI).

Q6. What standards and regulations does the HITRUST CSF cover?

The HITRUST Common Security Framework integrates more than 40 authoritative sources, including HIPAA, the HITECH Act, NIST 800-53, NIST CSF, ISO 27001/27002, COBIT, PCI DSS, GDPR, the AICPA Trust Services Criteria, and state-level privacy regulations. This is why HITRUST certification provides assurance across multiple compliance regimes simultaneously.

Q7. Which Trust Services Criteria does TRC’s SOC 2 audit cover?

TRC’s SOC 2 audit covers security, availability, and confidentiality. Security is the mandatory “common criteria” baseline for every SOC 2 examination; availability and confidentiality are added because they directly speak to the obligations TRC owes its market research clients — keeping research environments accessible and protecting commercially sensitive client data.

Q8. Who conducts TRC’s HITRUST and SOC 2 audits?

Both engagements are performed by independent third parties. TRC’s HITRUST assessment is conducted by a HITRUST Alliance Authorized External Assessor; the SOC 2 examination is conducted by a licensed CPA firm under AICPA SSAE 18 standards. Neither audit is performed in-house.

Q9. How can clients obtain TRC’s SOC 2 report and HITRUST certification letter?

Existing and prospective clients can request both documents through their TRC account team or by contacting TRC directly via privacy@trcinsights.com. SOC 2 reports are released under non-disclosure agreement; the HITRUST certification letter can be shared more broadly to satisfy initial vendor risk reviews.

Q10. What types of data does TRC Insights protect?

TRC’s controls cover all categories of data the firm encounters in market research engagements: respondent personally identifiable information (PII), protected health information (PHI) when working with healthcare and pharma clients, payment-card data when relevant, and confidential client business information including pricing, brand strategy, and competitive intelligence.

Q11. Which industries require HITRUST or SOC 2 from market research vendors?

Healthcare, pharma, and health-tech clients increasingly require HITRUST certification or BAA-eligible HIPAA compliance from any vendor handling patient or member data. Fintech, financial services, and Fortune 500 enterprise procurement teams routinely require SOC 2 reports during vendor onboarding. Utilities, CPG, and large B2B clients commonly request both as part of their third-party risk management programs.

Q12. How often does TRC renew its certifications?

TRC’s SOC 2 audit is conducted annually. The HITRUST certification is renewed on HITRUST’s published cycle for the assessment level held (one or two years depending on assessment type), with required interim assessments. Renewal evidence is available to clients on request.