If your company handles customer data, especially in the cloud, you’ve probably been asked for a SOC 2 report. It’s not a certification. It’s an independent attestation audit by a licensed CPA firm that shows your company has controls in place to protect systems and data. Basically, folks in vendor management or your prospective clients, across wide varieties of companies will want one (or would like to see one) and they will review the report for how your company handles data.
A SOC 2 is an independent audit report issued by a licensed CPA firm. It shows that your organization has controls in place to protect systems and data. SOC 2 is designed for service providers like SaaS companies, cloud platforms, managed IT services, and data centers.
There are two types of SOC 2 reports:
- Type I looks at whether your controls are designed properly as of a specific date. This is generally the type of report a company new to SOC 2 will first get as it shows you have implemented controls while you begin the period (that will be later tested) for your type II report.
- Type II goes further and looks at the design of the controls that was done in the type I but further evaluates whether the controls are working as intended over time, usually over a period of several months. Unless you are new to the compliance reporting process or its a very new scoped in system, generally speaking, most reports will always be a Type II.
SOC 2 isn’t a certification its a compliance framework that only an independent CPA auditor can provide. The end result is a report form an independent CPA firm that describes your environment and internal controls and how they meet the selected criteria. Many companies, especially larger ones, expect a Type II SOC 2 report before they’ll do business with a vendor.
Unlike certifications with a fixed checklist, SOC 2 is based on a set of flexible criteria called the Trust Services Criteria (TSC), developed by the AICPA. You can think of the TSC as a rulebook of the criteria (sometimes called common criteria) that apply broadly rules on which trust service categories you include in your audit. These criteria have categories that are focused on how your company manages risk and protects systems and data. Generally, you would want to have in-scope the areas that your customers care about or perceive as a risk to their operations when they are using you as a vendor. There are five possible categories/areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
None of them are strictly required, but Security is commonly included because it covers general protections like access controls and system monitoring that are relevant to most services. Organizations select the TSCs that align with the risks they manage and the needs of their customers, allowing the report to reflect what matters most for their environment.
Trust Service Categories Explained
1. Security
This is typical and common to see in any SOC 2 Report. The Security TSC is all about protecting information and systems. This focuses on preventing unauthorized access. It includes things like firewalls, authentication, and system monitoring. The security TSC covers the basic controls that protect systems and data from unauthorized access, such as firewalls, multi-factor authentication, and intrusion detection. Security is a foundational criteria seen in SOC 2 reports.
2. Availability
This relates to whether your systems are up and running when customers need them. It includes performance monitoring, disaster recovery, and incident response. A cloud-based electronic health records (EHR) platform would likely include the Availability Trust Services Criteria in its SOC 2 report. Healthcare providers rely on constant access to patient records for critical care, so the system must have strong uptime commitments, disaster recovery processes, and performance monitoring in place to meet those expectations.
3. Processing Integrity
This covers the accuracy, completeness, and timeliness of data processing. It’s especially important for systems that automate transactions or provide data outputs. If its a system where customer are expecting payments/records to be processed accurately, completely, and in the correct order. Controls like input validation, transaction logging, and reconciliation processes help ensure that the system functions as intended without errors or delays.
4. Confidentiality
Probably the second most popular TSC after Security. Confidentiality is all about protecting sensitive information such as business plans, financials, or trade secrets. Typically its where you have IT systems offering services or platforms that store sensitive customer documents, contracts, and case files that must be protected from unauthorized access.Encryption, strict access controls, and secure data transmission help ensure that only authorized users can view or handle confidential information.
5. Privacy
This deals with how you collect, use, store, and dispose of personal information. It’s particularly important if your service handles personally identifiable information (PII). Unlike Confidentiality, which protects sensitive business information from unauthorized access, Privacy focuses on how personal data is collected, used, stored, and shared in accordance with the organization’s privacy notice and applicable laws. Controls for Privacy include user consent management, data minimization, and procedures for handling user data requests or deletion.
Most companies start by focusing on Security, then add other areas depending on customer expectations or the type of data involved. For example, a healthcare company might also include Privacy, while a payment processor might focus more on Processing Integrity and Confidentiality. Generally, it depends on the type of services offered and what risks your customers are concerned with.
Why SOC 2 Compliance Matters
Getting SOC 2 compliant helps you build trust with your customers and shows you’re serious about protecting their data. It shows that you have put the right controls in place and that those controls have been independently tested. For any company handling sensitive information, it’s a meaningful step toward being more transparent, reliable, and aligned with what clients expect. If you’re thinking about a SOC 2, we can help you get started.
At Sage Audits, We Work With You
We know audits can be overwhelming. Our goal is to make the process smoother, more understandable, and less stressful. We stand beside you with practical guidance—not just paperwork.
Whether it’s your first SOC 2 or a renewal, we’re here to help you get through it confidently and with real value. – Jordan Novak, Managing Partner
