What is SOC 2?
SOC 2 is the report enterprise buyers ask SaaS vendors for. Here is what it covers, the Type I versus Type II difference, and how to get there.
SOC 2 (System and Organization Controls 2) is an attestation report, defined by the AICPA, on how well a service organisation protects customer data. For SaaS and cloud companies selling to enterprises, a SOC 2 report is often the ticket to closing deals and passing vendor security reviews.
Unlike a certification, SOC 2 is a report issued by a licensed CPA firm after examining your controls against the Trust Services Criteria. This guide covers the criteria, report types, and the path to getting one.
- SOC 2 is a CPA-issued report against the Trust Services Criteria, not a pass/fail certificate.
- Security (the common criteria) is required; availability, processing integrity, confidentiality, and privacy are optional add-ons.
- Type I assesses controls at a point in time; Type II assesses them over a period, usually 3 to 12 months.
- Enterprise buyers usually want Type II, so plan for an observation window.
The Trust Services Criteria
SOC 2 is built on five Trust Services Criteria. Security, often called the common criteria, is mandatory. You choose which of the others to include based on what you promise customers:
- Security: protection against unauthorized access (always included).
- Availability: the system is available as committed.
- Processing integrity: processing is complete, accurate, and timely.
- Confidentiality: confidential information is protected.
- Privacy: personal information is handled per your privacy notice.
Type I versus Type II
A Type I report describes your controls and tests whether they are suitably designed at a single point in time. A Type II report goes further and tests whether those controls operated effectively over a period, typically three to twelve months. Because Type II proves controls work over time, it is what most enterprise customers ask for.
How to get report-ready
Define your scope and the criteria you will include, implement the controls, then run them long enough to generate an evidence trail for the Type II window. A CPA firm then performs the examination and issues the report, which you share with customers under NDA.
The observation window is where teams struggle, because it requires continuous, dated evidence. Automating evidence collection makes the window a formality rather than a manual burden.
Frequently asked questions
Get SOC 2-ready without the scramble
Automate the evidence behind a clean Type II report. Start by seeing your current exposure.
Run a free check