SOC 2 Type II

SOC 2 Type II is an attestation report issued by a licensed CPA firm that evaluates how a service organization's controls operate over a defined period, typically six to twelve months. It is not a cer

SOC 2 Type II is an attestation report issued by a licensed CPA firm that evaluates how a service organization's controls operate over a defined period, typically six to twelve months. It is not a certification — it is an independent auditor's opinion on whether your controls met the AICPA Trust Services Criteria during the observation window. Type II is the market standard for B2B SaaS companies selling to enterprise buyers; Type I is often used once as a bridge and then retired.

Key controls

• Access control and least privilege
• Change management and code review
• Risk assessment and vendor management
• Logical and physical security
• System monitoring and incident response
• Data encryption in transit and at rest
• Employee onboarding, offboarding, and background checks