← Glossary·Frameworks

SOC 2

Also known as: SOC 2 Type II · SSAE 18 SOC 2
SOC 2

AICPA attestation report on a service organisation's controls across five Trust Services Criteria.

SOC 2 is a System and Organization Controls report issued under AICPA SSAE 18, attesting how a service organisation designs (Type I) or operates (Type II) controls against the Trust Services Criteria: Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy. Type I is a point-in-time snapshot; Type II covers a 3–12 month observation window.

Why it matters
SOC 2 reports are the de facto baseline for enterprise SaaS procurement in North America. Without a current Type II, you'll routinely get blocked at security review and lose 6-figure deals to competitors who have one.
Example
A B2B SaaS selling into mid-market typically completes a Type I within 90 days, then a Type II covering the next 6 months — total time-to-report ≈ 9 months.

Common questions

Is SOC 2 a certification?
No. SOC 2 is an attestation report issued by an independent CPA firm. There is no ‘SOC 2 certification’ logo — only the report itself.
How long is a SOC 2 report valid?
Customers typically expect a report covering a period that ended within the last 12 months. After that, you need a fresh observation window.

Related terms

Trust Services Criteria (TSC)
The five AICPA criteria categories underpinning SOC 2: Security, Availability, Confidentiality, Processing Integrity, Privacy.
ISO/IEC 27001
International standard for an Information Security Management System (ISMS) with 93 Annex A controls.
SOC 2 Type I vs Type II
Type I = design of controls at a point in time. Type II = design + operating effectiveness over a period (typically 3–12 months).
Audit Period (Observation Window)
The continuous date range during which a SOC 2 Type II or ISO 27001 surveillance audit tests operating effectiveness.

Does your program actually cover SOC 2?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary