SOC 2 for data centers and colocation providers
For colocation and hosting providers, the SOC 2 report is where physical security and environmental resilience get tested as rigorously as logical access. It is also the document your customers fold into their own audits.
You are the subservice organization in everyone else's audit
A data center or colocation provider rarely pursues SOC 2 for its own sake; it does so because its customers need it. When a SaaS company that hosts in your facility goes through its own SOC 2, it almost always carves out the physical and environmental controls and points the auditor at your report instead. That makes your SOC 2 Type II a load-bearing artifact in dozens of downstream audits, and the absence of a current one becomes a recurring sales blocker. The flip side is that you carry the controls your customers explicitly cannot, so the bar for evidence is high and the report is read closely.
Physical access controls under the common criteria
Physical security lives in the Security common criteria, and for a facility it is the centerpiece rather than a footnote. CC6.4 expects physical barriers and layered access restriction to areas holding sensitive data and equipment, while CC6.5 addresses secure handling and disposal of media and hardware so decommissioned assets cannot leak data. Auditors look for concrete operating evidence: badge and biometric access by zone, mantraps or interlocking doors, visitor logging and escort procedures, retained CCTV footage, and periodic reviews that revoke access promptly when staff or customer personnel change. Documentation alone does not pass; the controls have to be shown operating across the observation period.
Availability and environmental resilience
Most colocation providers add the Availability category, where criterion A1.2 centers on environmental protections and recoverability. This is where the engineering reality of the facility meets the audit: redundant utility feeds and UPS, backup generators with tested fuel supply, redundant cooling and humidity control, fire detection and suppression suited to electronics, and continuous environmental monitoring with alerting. Auditors want evidence the protections are exercised, not just installed, so expect to provide generator load-test records, fire-system inspection logs, and capacity or PUE monitoring data. Tested failover and the ability to meet the uptime commitments in your customer SLAs are what turn redundancy on paper into a passing control.
Logical controls still matter
Physical resilience can dominate the conversation, but a data center is also a managed technology operation, and the logical side of the common criteria applies in full. Building management systems, remote-hands tooling, environmental and DCIM platforms, and the corporate network that staff use to administer the facility all fall in scope. Auditors will look for MFA and least-privilege access to those systems, change management for facility infrastructure, vulnerability management, and logging and monitoring of administrative activity. A provider that nails physical security but leaves its management network loosely controlled will still draw exceptions.
Scoping and practical guidance
Define the system boundary carefully: which sites, which suites or cages, and which services (raw space and power, remote hands, managed networking) are covered, since customers will check that their footprint is actually in scope. Decide your Trust Services categories early, with Security mandatory and Availability nearly universal for this model, and add others only where you genuinely deliver them. Plan for a Type II from the outset because customers using your report for carve-outs need operating-effectiveness assurance, not a point-in-time snapshot. Finally, write clear complementary user entity controls so colocation customers understand what remains their responsibility, such as securing their own cabinets, managing their cross-connects, and controlling their personnel's access lists.