The attestation standard for cloud and SaaS service organizations.
SOC 2 is an auditing standard developed by the American Institute of CPAs (AICPA) that evaluates how service organizations manage data security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 is an attestation — a CPA firm examines the organization's controls against the Trust Services Criteria and issues a report.
Type I reports assess the design of controls at a point in time. Type II reports assess both the design and operating effectiveness of controls over a period (typically 6–12 months). Enterprise buyers increasingly require SOC 2 Type II reports as a condition of vendor selection. The documentation architecture supporting a SOC 2 engagement — system descriptions, control matrices, evidence collections, and management assertions — is foundational to audit success.
Security controls covering logical access, change management, risk assessment, incident response, and monitoring.
System uptime, performance monitoring, incident and disaster recovery controls.
Data classification, encryption, and confidential information handling controls.
Complete, accurate, timely, and authorized processing controls.
Collection, use, retention, disclosure, and disposal of personal information aligned with AICPA privacy criteria.
Templates and implementation resources for SOC 2 Type I & Type II are available through the ELDR Institute Knowledge Hub and via direct request.