SOC 2 — Trust Services Criteria for Service Organizations

Effective overview last updated: January 2026

What Is SOC 2

SOC 2 (Service Organization Control 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how service organizations — typically SaaS companies, cloud providers, and data processors — manage customer data.

Unlike certifications you "pass," SOC 2 results in a report issued by an independent CPA firm. The report describes your controls and whether they operated effectively over a review period (Type II) or were suitably designed at a point in time (Type I).

The Five Trust Services Criteria

SOC 2 is organized around five Trust Services Criteria (TSC). You choose which criteria are relevant to your audit — Security is always required, the rest are optional:

Security (Common Criteria) — Required

The foundation of every SOC 2 report. Covers how you protect information and systems against unauthorized access, both physical and logical. This includes:

  • Firewalls, intrusion detection, and network segmentation
  • Authentication and authorization controls
  • Encryption of data in transit and at rest
  • Security monitoring and incident response
  • Vulnerability management and patching
  • Employee security awareness training

Availability

Evaluates whether your systems are operational and accessible as committed in service level agreements (SLAs). Relevant controls include:

  • Uptime monitoring and capacity planning
  • Disaster recovery and business continuity plans
  • Redundancy and failover mechanisms
  • Incident response for outages
  • Performance benchmarking

Processing Integrity

Assesses whether system processing is complete, valid, accurate, and timely. This matters for organizations where data processing errors could cause financial or operational harm:

  • Input validation and error handling
  • Quality assurance processes
  • Reconciliation procedures
  • Processing monitoring and alerting

Confidentiality

Addresses protection of information designated as confidential (trade secrets, business plans, intellectual property, non-public financial data). Controls include:

  • Data classification schemes
  • Access restrictions based on classification
  • Encryption for confidential data
  • Secure disposal procedures
  • NDA and contractual requirements for personnel and vendors

Privacy

The Privacy criteria specifically addresses personal information — how it's collected, used, retained, disclosed, and disposed of. This is the only TSC that directly concerns your privacy policy.

How SOC 2 Audits Work

Scoping

Before the audit begins, you define the scope: which systems, processes, and data are included. The scope should cover everything relevant to the services you provide to customers. Overly broad scoping creates unnecessary work; overly narrow scoping raises auditor concerns.

Control Selection

You map controls to the Trust Services Criteria points of focus. There's no prescribed set of controls — you design controls appropriate to your environment. A startup running entirely on AWS will have different controls than an enterprise with on-premise data centers.

Evidence Collection

For a Type II report, auditors examine evidence over a review period (typically 6–12 months). Evidence includes:

  • System configurations and screenshots
  • Access control lists and permission reviews
  • Change management logs
  • Incident response records
  • Policy documents and employee acknowledgments
  • Monitoring dashboards and alert histories
  • Vendor management documentation

The Report

The final SOC 2 report includes:

  • Management's assertion about their controls
  • System description detailing the services, infrastructure, and data flows
  • Auditor's opinion on whether controls were suitably designed (Type I) or operating effectively (Type II)
  • Detailed control testing results showing each control, the test performed, and the result
  • Exceptions where controls were not operating as described

Where Privacy Policies Fit

Your privacy policy is directly relevant only if you include the Privacy Trust Services Criteria in your SOC 2 scope. Many organizations only pursue Security (Common Criteria) plus one or two additional criteria, and skip Privacy entirely.

If Privacy is in scope, auditors review your privacy policy to verify that:

  • It accurately describes your data collection, use, and sharing practices
  • The commitments in the policy align with your actual internal controls
  • It addresses the AICPA's privacy criteria: notice, choice and consent, collection, use/retention/disposal, access, disclosure, security, quality, and monitoring
  • It is accessible to users and kept up to date

If Privacy is not in your SOC 2 scope, your privacy policy won't be a focus of the audit — though auditors may still glance at it as part of the system description review.

When to Include Privacy in Your SOC 2

Include the Privacy criteria if:

  • Your customers explicitly require it (check their vendor security questionnaires)
  • You process significant amounts of personal data as a core part of your service
  • You want to differentiate your SOC 2 report from competitors who only cover Security

Skip it if:

  • Your service primarily handles non-personal data (infrastructure, DevOps tooling)
  • You already comply with GDPR, CCPA, or HIPAA and have separate evidence for those
  • Adding Privacy would significantly expand the audit scope without clear customer demand

Common Misconceptions

"SOC 2 is a certification." It's not. It's a report. You don't "get SOC 2 certified" — you receive a SOC 2 report from an auditor. The report can contain exceptions and qualified opinions.

"SOC 2 Type I is a stepping stone to Type II." Not exactly. Type I evaluates design at a point in time, Type II evaluates effectiveness over a period. Many organizations go directly to Type II. Type I is useful if you need to demonstrate controls quickly while building a track record for Type II.

"You need SOC 2 to sell to enterprises." Often true in practice, but not universal. Some enterprises accept ISO 27001, others have their own security questionnaires. SOC 2 is most commonly required in the US market.

"SOC 2 covers everything about security." SOC 2 covers the controls you define in your scope. It's possible to have a clean SOC 2 report with a narrow scope that doesn't cover all of your systems.

Preparing for a SOC 2 Audit

  1. Choose your criteria. Start with Security. Add Availability if you have SLA commitments, Confidentiality if you handle trade secrets, Processing Integrity if you process financial transactions, and Privacy if your customers require it.

  2. Define your scope. Identify which systems, teams, and data flows are included.

  3. Perform a readiness assessment. Identify gaps between your current controls and what auditors will expect. Fix the gaps before the audit period begins.

  4. Implement controls and collect evidence. For Type II, you need 6–12 months of evidence showing controls operating effectively.

  5. Select an auditor. Choose a CPA firm experienced with your industry and tech stack. The relationship matters — you'll work closely with them.

  6. Undergo the audit. Provide evidence, answer questions, and address any findings.

How Privacy Policy Review Helps

If you're including the Privacy criteria in your SOC 2 audit, our service reviews your privacy policy against the AICPA's privacy requirements. The AI identifies specific gaps — missing disclosures, vague language, misalignment with standard privacy criteria — and an attorney verifies the findings in a signed Record of Review.

This won't replace your SOC 2 audit, but it gives you a concrete pre-audit check on one of the artifacts your auditor will examine.

Ready to review your privacy policy?

Get AI-powered compliance analysis verified by an attorney — flat $199 per review.

Start Your Review