What is SOC 2?
SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating how organizations manage data and protect customer information. It assesses your controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
For B2B SaaS, AI, data, and developer-tooling companies, SOC 2 is the baseline expectation. Enterprise buyers require it before signing procurement contracts, and prospects evaluate your security posture before they evaluate your product.
Defining Your Scope
Scope defines the boundary of what the audit will evaluate. Getting scope right is the single most important decision in the readiness process — too broad and you'll spend months remediating low-risk areas; too narrow and the report won't satisfy your buyers.
Your scope includes:
- Services — the products and offerings covered by the report
- Systems — infrastructure, applications, and environments that support those services
- Data — the types of information processed, stored, or transmitted
- People — roles and teams with access to in-scope systems
- Processes — workflows that operate and maintain controls
- Vendors — third parties that affect your control environment
Trust Services Criteria
Every SOC 2 engagement includes Security. The other four criteria are selected based on your business model, customer commitments, and the nature of data you handle.
| Criterion | Include When | Typical Target Customers |
|---|---|---|
| Security | Always — required for every SOC 2 report | Everyone pursuing SOC 2 |
| Availability | Uptime, resilience, or disaster recovery commitments | SaaS, infrastructure, dev tooling, data platforms |
| Processing Integrity | Accurate, complete, and timely processing is core to your product | Analytics, data pipelines, fintech, ETL |
| Confidentiality | You store or process confidential business information | B2B SaaS, AI/data platforms |
| Privacy | You process personal information subject to privacy commitments | Consumer-facing or privacy-intensive products |
Type 1 vs. Type 2 Reports
SOC 2 reports come in two types. Most companies start with Type 1 and graduate to Type 2, but the right choice depends on your timeline and buyer requirements.
| Aspect | Type 1 | Type 2 |
|---|---|---|
| Evaluates | Control design as of a point in time | Design + operating effectiveness over a period |
| Observation Period | None (point-in-time snapshot) | 3–12 months (3 months common for first-time) |
| Best Fit | Near-term deal support; controls implemented but no operating history | Operational discipline; strongest buyer assurance |
| Practical Path | Often a stepping stone to Type 2 | Provides the strongest assurance to enterprise buyers |
Readiness Assessment Checklist
Before engaging an auditor, evaluate where your organization stands against these six readiness questions:
- Are in-scope systems, environments, and vendors documented?
- Are applicable Trust Services Criteria selected and justified?
- Is there a controls matrix with control ID, criterion mapping, owner, and risk level?
- Can the company produce evidence for access reviews, code reviews, change approvals, incidents, backups, and vendor assessments?
- Are high-risk gaps translated into remediation items with owners and due dates?
- Is there an evidence repository with naming conventions and a collection cadence for the observation window?
If you can't confidently answer "yes" to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what auditors expect across all 12 control areas, with evidence examples for each.