AICPA Standard

SOC 2 Compliance

The American Institute of CPAs (AICPA) standard for managing customer data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Start SOC 2 Assessment View Trust Criteria

Trust Criteria

Service principles

Report types

Type I & Type II

12mo

Type II period

Observation window

Origin

Global adoption

Who Needs SOC 2 Compliance?

SOC 2 is essential for any service organization that stores, processes, or transmits customer data.

SaaS Companies

Cloud software providers
Business applications
Data analytics platforms
Collaboration tools

Technology Services

Data centers
Managed IT services
Cloud hosting providers
Security services

Business Services

Payroll processors
HR platforms
Customer service providers
Financial technology

Enterprise Requirement: Most enterprise customers require SOC 2 compliance before signing contracts with vendors who will handle their data.

Trust Service Criteria

SOC 2 reports are built around five Trust Service Criteria (TSC)

Security (Common Criteria)

REQUIRED

Protection of system resources against unauthorized access. This is the foundation and required for all SOC 2 reports.

Access controlsFirewallsIntrusion detectionTwo-factor authentication

Availability

System is available for operation and use as committed or agreed.

Uptime monitoringDisaster recoveryBackup proceduresCapacity planning

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized.

Quality assuranceError handlingInput validationProcessing monitoring

Confidentiality

Information designated as confidential is protected as committed or agreed.

EncryptionAccess restrictionsData classificationSecure disposal

Privacy

Personal information is collected, used, retained, disclosed, and disposed of properly.

Consent managementData minimizationPrivacy noticesIndividual rights

SOC 2 Report Types

Understanding the difference between Type I and Type II reports.

Type I

Point-in-Time Assessment

Evaluates design of controls at a specific point in time
Faster to obtain (typically 1-3 months)
Good starting point for first-time SOC 2
Does not test operating effectiveness

Type II

Period Assessment

Tests design AND operating effectiveness over time
Observation period of 6-12 months
Preferred by most enterprise customers
Provides strongest assurance

How Dependra Helps with SOC 2

Demonstrate strong vendor management practices as part of your SOC 2 compliance program.

Maintain inventory of all sub-service organizations
Assess vendor SOC 2 compliance status
Monitor vendor security posture continuously
Track vendor access to customer data
Generate vendor risk assessment documentation
Identify gaps in vendor security practices

Start SOC 2 Assessment

18 vendors SOC 2 Type II certified

5 vendors require updated reports

Related Standards & Regulations

ISO 27001

Information security management

HIPAA

Healthcare data protection

PCI DSS

Payment card security standard

GDPR

EU data protection regulation

Official Resources

AICPA SOC 2 Guide

Official AICPA SOC resources

Trust Service Criteria

TSC detailed documentation

SOC 2 Quick Facts

Full Name: Service Organization Control 2
Developed By: AICPA
Report Types: Type I & Type II
Typical Timeline: 3-12 months
Type: Attestation Report

Ready for SOC 2 Compliance?

Demonstrate your commitment to security and build trust with enterprise customers.

Start SOC 2 Assessment View Demo