SOC 2
Also known as: SOC2, Service Organization Control 2
SOC 2 is an attestation report issued by an independent auditor, verifying that a service organization’s controls meet the AICPA Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy.
Detailed explanation
SOC 2 reports come in two types. Type I attests to control design at a point in time; Type II attests to operating effectiveness over a period (typically 6–12 months). Most enterprise customers expect Type II from their SaaS vendors.
Achieving SOC 2 requires implementing controls across access management, change management, vulnerability management, vendor risk, incident response, backup and recovery, and business continuity — then producing evidence that they operate consistently.
Modern SOC 2 programs lean heavily on automation: control monitoring platforms (Vanta, Drata, Secureframe), evidence collection from cloud APIs and HR systems, and integration with the existing engineering toolchain. The work is real, but it is also a forcing function for sensible engineering hygiene.