SOC 2

SOC 2 (Service Organization Control 2) is an auditing framework maintained by the AICPA (American Institute of Certified Public Accountants). It's designed for service organizations — primarily SaaS companies — to report on how they handle customer data.

Five Trust Services Criteria: Security (mandatory), Availability (uptime and resilience), Processing Integrity (system processes work as intended), Confidentiality (data is protected from unauthorized access), Privacy (personal information is handled per the privacy notice). Most SOC 2 reports cover Security + 1–2 others; the full five-criteria audit is rare.

Two report types: Type I (controls are designed correctly at a point in time) and Type II (controls are operating effectively over a period, typically 6–12 months). Enterprise buyers almost always require Type II; Type I is a stepping stone for early-stage companies on the path to Type II.

Practical requirements: documented security policies, access controls and least-privilege provisioning, encryption in transit and at rest, vulnerability management and patching cadence, incident response plan, security training for employees, vendor management with DPAs, change-management process for production deploys. The auditor reviews evidence over the audit period (Type II) and writes an attestation report.

Cost and timeline: SOC 2 Type I typically runs $15K–$40K + 3–6 months of preparation. Type II adds another $20K–$60K and 6–12 months of observation period. Tools like Vanta, Drata, and Secureframe automate much of the evidence collection — cutting prep time roughly in half. SOC 2 is the floor for enterprise SaaS sales; without it, enterprise procurement teams typically can't engage past a discovery call.