Aadit Technologies

SOC 2

Compliance

System and Organization Controls 2

SOC 2 (System and Organization Controls 2) is a compliance framework and audit report developed by the AICPA that evaluates how well a service organisation protects customer data. Assessments are based on five Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — and are especially important for SaaS and cloud providers.

A SOC 2 report comes in two forms. A Type I report assesses whether controls are suitably designed at a single point in time, while a Type II report tests whether those controls operated effectively over a period — typically three to twelve months. Type II carries the most weight with enterprise buyers.

Because SOC 2 is tailored to service organisations that store customer data in the cloud, it has become a near-standard requirement in SaaS procurement. Many companies pursue it alongside ISO 27001, reusing much of the same underlying control set.