SOC 2 — AICPA Compliance Framework for Service Organizations

TLDR:

SOC 2 (Service Organization Control 2) is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating service organizations’ controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are produced by independent auditors and have become a de facto requirement for B2B SaaS companies serving US enterprise customers.

Trust Services Criteria

SOC 2 evaluates controls against five “Trust Services Criteria” (TSC): Security (foundational, always included—covers protection against unauthorized access), Availability (system uptime and performance), Processing Integrity (system processing is complete, valid, accurate, timely, and authorized), Confidentiality (information designated as confidential is protected), and Privacy (personal information is collected, used, retained, disclosed, and disposed of properly). Companies select which TSCs to include based on customer requirements and service offering.

Type I vs. Type II

Two report types: SOC 2 Type I evaluates the design of controls at a single point in time (achievable in weeks); SOC 2 Type II evaluates operating effectiveness over a period (typically 6-12 months, requiring evidence of control operation throughout). Type II is significantly more rigorous and is what most enterprise customers actually require. New companies typically achieve Type I first, then Type II in their second annual audit cycle.

SOC 2 in Practice

Building a SOC 2 program involves: defining the audit scope (which services, which TSCs, which subservice organizations), implementing required controls (access management, change management, incident response, vendor management, encryption, business continuity, etc.), gathering evidence of control operation, engaging an AICPA-licensed CPA firm for the audit, and remediating identified deficiencies. Specialized “SOC 2 in a box” vendors (Vanta, Drata, Secureframe) have emerged to streamline implementation. Costs range from $20K-$100K+ depending on complexity. For SaaS startups pursuing US enterprise customers, SOC 2 has become essentially mandatory—often blocking deals if absent.