SOC 2
Definition
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates a service organization's controls related to five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are the standard mechanism for SaaS companies and service providers to demonstrate their security practices to customers.
Trust Services Criteria
Security (Required)
Information and systems are protected against unauthorized access, disclosure, and damage. This is the only mandatory criteria and covers access controls, encryption, monitoring, and incident response.
Availability
Systems are available for operation and use as committed. Covers uptime, disaster recovery, business continuity, and performance monitoring.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized. Covers data processing controls and quality assurance.
Confidentiality
Information designated as confidential is protected as committed. Covers data classification, encryption, and access restrictions for confidential data.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in accordance with privacy commitments. Covers privacy notices, consent, and data subject rights.
Type I vs. Type II
Type I evaluates the design of controls at a specific point in time. It confirms controls exist and are appropriately designed but does not test whether they work consistently over time.
Type II evaluates both design and operating effectiveness over a period of time, typically 6 to 12 months. Type II is the standard that most customers and prospects require because it provides assurance that controls actually work.