Service Organization Control 2 (SOC 2)

A Service Organization Control 2 (SOC 2) is a compliance framework that evaluates how organizations manage customer data based on five trust service criteria.

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 audits assess whether companies have appropriate controls in place to protect sensitive information, particularly for technology and cloud computing organizations that store customer data.

The framework evaluates five key areas: Security (protection against unauthorized access), Availability (system accessibility for operation and use), Processing Integrity (complete, valid, accurate, timely, and authorized system processing), Confidentiality (protection of confidential information), and Privacy (collection, use, retention, disclosure, and disposal of personal information). Organizations can choose which criteria apply to their services.

SOC 2 reports come in two types: Type I examines the design of controls at a specific point in time, while Type II evaluates the operational effectiveness of those controls over a period of time, typically six to twelve months. These audits are conducted by independent certified public accountants and help organizations demonstrate their commitment to data security to customers, partners, and stakeholders, often serving as a competitive differentiator in the marketplace.