What it is

SOC 2 (Service Organization Control 2) is an attestation report produced by an independent, AICPA-licensed CPA firm. It evaluates your controls against the AICPA's Trust Services Criteria. It is not a certificate or a law — it's an auditor's opinion on how well you protect data, which you share with customers as proof.

Who needs it

Any company that stores or processes customer data and sells to other businesses — most often B2B SaaS. If enterprise prospects are sending you security questionnaires, SOC 2 is usually what they're looking for.

The five Trust Services Criteria

Security

The only required criterion — protection against unauthorized access. Every SOC 2 covers it.

Availability

Whether the system is available for operation as committed (uptime, resilience).

Confidentiality

Protection of information designated as confidential.

Processing integrity

Whether processing is complete, accurate, and timely.

Privacy

How personal information is collected, used, retained, and disposed of.

Type 1 vs Type 2

A Type 1 report attests your controls are designed correctly at a point in time. A Type 2 report tests that they operated effectively over a window (often 3–12 months). Most enterprise buyers expect Type 2.

How the audit works

1. 01

   Scoping & readiness

   Choose Type 1 or Type 2, decide which Trust Services Criteria apply, and remediate gaps.

2. 02

   Evidence & control testing

   Collect evidence over the observation window; the auditor tests that controls operate.

3. 03

   Report & remediation

   The firm issues its opinion; you share the report under NDA and address any exceptions.

Cost & timeline

Fees range from roughly $7.5K for a boutique Type 1 to six figures for Big Four engagements. See the audit cost guide for the breakdown, and how to choose a firm for selection criteria.