Compliance

SOC 2

A compliance framework developed by AICPA that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy of customer data.

Also known as:SOC 2 ComplianceSOC2Service Organization Control 2

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing procedure developed by the American Institute of CPAs (AICPA) that evaluates how well a service organization manages customer data. It's based on five Trust Services Criteria and has become the de facto compliance standard for SaaS companies.

Trust Services Criteria

Security (Required) Protection against unauthorized access.

  • Access controls
  • Firewalls and encryption
  • Intrusion detection
  • Incident response

Availability System accessibility as committed.

  • Uptime monitoring
  • Disaster recovery
  • Capacity planning
  • Incident management

Processing Integrity Complete, accurate, timely processing.

  • Quality assurance
  • Error handling
  • Processing monitoring

Confidentiality Protection of confidential information.

  • Data classification
  • Encryption
  • Access restrictions
  • Secure disposal

Privacy Personal information handling.

  • Notice and consent
  • Collection limitation
  • Use and retention
  • Disclosure and access

SOC 2 Type 1 vs Type 2

Type 1Type 2
Point-in-timePeriod of time (6-12 months)
Control designControl design + operating effectiveness
Faster to obtainMore rigorous
SnapshotContinuous evidence

The Audit Process

  1. Readiness assessment
  2. Gap remediation
  3. Control implementation
  4. Evidence collection
  5. Auditor examination
  6. Report issuance
Previous

Single Sign-On (SSO)

Next

Software Bill of Materials (SBOM)