Compliance

SOC 2

A compliance framework for service organisations based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how well a service organisation manages data based on five Trust Service Criteria.

Trust Service Criteria

Security — protection against unauthorized access
Availability — the system is available for operation as agreed
Processing integrity — system processing is complete, valid, accurate, and timely
Confidentiality — information designated as confidential is protected
Privacy — personal information is collected, used, retained, and disclosed in conformity with the entity's privacy notice

Types

Type I — evaluates the design of controls at a specific point in time
Type II — evaluates the operating effectiveness of controls over a period (typically 6–12 months)

Relevance

SOC 2 reports are commonly requested by enterprise customers when evaluating SaaS providers and data processors.

Related Terms

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

PCI DSSCompliance

Payment Card Industry Data Security Standard — a set of security requirements for organisations that handle credit card data.

ISO 27001Compliance

An international standard for information security management systems (ISMS) — the most widely recognised security certification.

Audit TrailCompliance

A chronological record of system activities that provides evidence of who did what, when, and why.

Server-Side Tracking