What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Does SOC 2 cover HIPAA?

Not really. There's overlap on technical controls, but SOC 2 doesn't require BAAs or specific PHI handling. Some auditors offer a SOC 2 + HIPAA mapping that bundles both — convenient but doesn't replace HIPAA compliance work.

Can I get a SOC 2 without HIPAA?

Yes — most SaaS does. SOC 2 is purely about your controls; you can have a clean SOC 2 with PHI you never touch.

Is HIPAA harder than SOC 2?

Different hard. HIPAA's technical bar is lower; the documentation + workforce-management bar is higher. SOC 2's technical bar is broader; the auditor expects more breadth across controls.

Cost: SOC 2 vs HIPAA?

SOC 2 has a defined cost: tool + auditor. HIPAA has no exam fee but unbounded risk (breach fines run into millions). Most healthtech treats HIPAA as a non-negotiable cost of doing business.

SOC 2 vs HIPAA — KollGuard

SOC 2

A CPA-issued attestation under AICPA SSAE 18 that a service organization meets the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). It is voluntary; it is not a law.

Who needs it: US SaaS selling to enterprise
Authority: AICPA / CPA firms
Issued as: Attestation report

HIPAA

A US federal law (1996, amended by HITECH 2009) regulating the protection of patient health information (PHI). It defines covered entities, business associates, and required safeguards.

Who needs it: Anyone handling US patient data
Authority: HHS / Office for Civil Rights
Issued as: No certification — internal documentation + OCR enforcement

Similarities

Both expect documented policies, workforce training, access controls, audit logs, and incident response.
Both have substantial overlap on technical controls (encryption in transit, MFA, change management).
Both reward consistency and documentation more than perfection.

Where they differ

Axis	SOC 2	HIPAA
Type	Voluntary attestation	Federal law (mandatory if you handle PHI)
Scope	Your service organization controls	PHI handling specifically
Report?	Yes — CPA-signed Type 1 or Type 2	No certification — internal evidence + OCR-audit-ready documentation
Enforcement	Contractual (customers ask for it)	Federal fines + criminal penalties for willful neglect
Cost	$5k–$50k auditor + $200–$3k/yr tool	No exam fee, but breach fines run into millions
Renewal	Annually (Type 2)	Continuous; OCR can audit anytime
Sub-processor chain	Vendor risk review optional	BAA required with every PHI sub-processor

Which do you need?

Pick SOC 2 if…

You're SaaS selling to US enterprises and procurement keeps asking for it. SOC 2 unlocks deals; HIPAA does not.

Pick HIPAA if…

Your product touches patient health information from a US covered entity. HIPAA is a legal requirement, not a sales asset — but it's table-stakes for healthtech.

Pick both if…

You sell healthtech SaaS. SOC 2 closes enterprise deals; HIPAA keeps you out of federal enforcement.

Pick neither if…

You're not selling to enterprises and you're not handling PHI. Build the product first; come back when a customer asks.

Frequently asked

Does SOC 2 cover HIPAA?: Not really. There's overlap on technical controls, but SOC 2 doesn't require BAAs or specific PHI handling. Some auditors offer a SOC 2 + HIPAA mapping that bundles both — convenient but doesn't replace HIPAA compliance work.
Can I get a SOC 2 without HIPAA?: Yes — most SaaS does. SOC 2 is purely about your controls; you can have a clean SOC 2 with PHI you never touch.
Is HIPAA harder than SOC 2?: Different hard. HIPAA's technical bar is lower; the documentation + workforce-management bar is higher. SOC 2's technical bar is broader; the auditor expects more breadth across controls.
Cost: SOC 2 vs HIPAA?: SOC 2 has a defined cost: tool + auditor. HIPAA has no exam fee but unbounded risk (breach fines run into millions). Most healthtech treats HIPAA as a non-negotiable cost of doing business.

SOC 2 vs HIPAA