New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
← Glossary · Compliance

SOC 2

AICPA attestation report covering how a service organization handles customer data.

SOC 2 (Service Organization Control 2) is an attestation performed by a licensed CPA firm against the AICPA's five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Type 1 reports the design of controls at a point in time. Type 2 reports on the operating effectiveness of those controls over a window — usually 3 to 12 months. Enterprise buyers commonly require Type 2 before signing.

SOC 2 is US-centric and does not certify — it produces a report you share under NDA with prospects and customers.

Related terms

See how Scarlet Risk covers SOC 2.

One platform for compliance, cyber, crypto, and world-watch risk.

Schedule Live Demo