SOC 2

SOC 2 is an auditing framework defined by the AICPA for service organizations. It reports on controls relevant to the Trust Services Criteria, and a SOC 2 report is produced by an independent CPA firm.

Get a demo All frameworks

Governed by American Institute of CPAs (AICPA)

What it is

What SOC 2 is, in plain terms

SOC 2 (System and Organization Controls 2) is an attestation framework defined by the AICPA for service organizations that store, process, or transmit customer data. Rather than a pass/fail certification, a SOC 2 engagement produces a report in which an independent CPA firm describes your controls and tests whether they meet the Trust Services Criteria. It has become the de facto baseline that B2B SaaS buyers ask for during procurement and security reviews.

Typical effort & timeline

A Type I report attests control design at a point in time and is often pursued first. A Type II report covers operating effectiveness over an observation window that is commonly three to twelve months, so most teams plan around the length of that window rather than a fixed deadline.

Who needs it

Is this framework for you?

B2B SaaS and cloud companies whose enterprise prospects request a SOC 2 report during procurement.
Service organizations that host or handle customer data on behalf of other businesses.
Startups trying to remove security review friction and shorten enterprise sales cycles.

About the framework

Key facts about SOC 2

Built around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Security (the Common Criteria) is required; the other categories are included based on scope.
Type I reports on control design at a point in time; Type II reports on operating effectiveness over a period.
Reports are issued by independent CPA firms, not by software vendors.

Public information about the framework itself. We don't claim certifications, assessment status, or authorizations for our own product.

With this platform

How we help with SOC 2

Map the Common Criteria to automated tests and evidence.
Monitor controls continuously so you're ready for a Type II observation window.
Organize evidence the way auditors expect to receive it.
Reuse the same evidence toward ISO 27001 and other frameworks.

Step by step

Get and stay compliant

How the platform supports your SOC 2 program — from first scope to ongoing monitoring.

Scope your report

Decide which Trust Services Criteria apply beyond the required Security category, and define the systems in scope.

Map controls to tests

Connect the Common Criteria to automated tests and the evidence that proves each control is operating.

Collect evidence continuously

Pull configuration and activity evidence on a schedule so your Type II window stays clean instead of scrambling at the end.

Hand off to your auditor

Organize evidence the way CPA firms expect to receive it, with owners and history attached to every control.

Representative areas

What SOC 2 covers

Public, high-level control or requirement areas — for orientation, not a complete control list.

Security (Common Criteria)

Availability

Processing Integrity

Confidentiality

Privacy

Do it once

Reuse evidence across frameworks

SOC 2 shares controls with frameworks you may already run. A passing test can satisfy requirements in more than one place — so adding the next framework means reusing work, not repeating it.

ISO/IEC 27001

International standard for information security management

HIPAA

U.S. rules for protecting health information

PCI DSS

Security standard for handling payment card data

FAQ

Common questions about SOC 2

No. SOC 2 is an attestation: an independent CPA firm issues a report describing and testing your controls. There is no certificate or governing body that 'certifies' you.

Type I evaluates control design at a single point in time; Type II evaluates operating effectiveness over a period. Many teams start with Type I to validate design, then move to Type II.

Yes. Much of the Security (Common Criteria) evidence overlaps with ISO 27001, HIPAA, and others, which is exactly what cross-mapping is designed to capture.

Get audit-ready for SOC 2

Get a guided demo, or start by scanning any domain for free.

Get a demo Compliance automation