← Glossary · Compliance
SOC 2
AICPA attestation report covering how a service organization handles customer data.
SOC 2 (Service Organization Control 2) is an attestation performed by a licensed CPA firm against the AICPA's five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Type 1 reports the design of controls at a point in time. Type 2 reports on the operating effectiveness of those controls over a window — usually 3 to 12 months. Enterprise buyers commonly require Type 2 before signing.
SOC 2 is US-centric and does not certify — it produces a report you share under NDA with prospects and customers.
Related terms
See how Scarlet Risk covers SOC 2.
One platform for compliance, cyber, crypto, and world-watch risk.
Schedule Live Demo