What is SOC 2?

A compliance framework developed by the AICPA for service organizations, focused on security, availability, processing integrity, confidentiality, and privacy.

Full explanation

SOC 2 is the standard B2B SaaS compliance report US enterprise buyers ask for. Type 1 is a point-in-time audit; Type 2 covers 3-12 months of continuous operation. Passing Type 1 typically requires ~20 policies, MFA, encryption, access controls, vulnerability management, and an auditor's sign-off. Platforms like Vanta, Drata, Secureframe automate most of the evidence collection.

Example

A SaaS startup completes SOC 2 Type 1 before their first enterprise deal closes, then runs Type 2 for the next 9-12 months.

FAQ

SOC 2 vs ISO 27001?

SOC 2 is US-centric and AICPA-governed. ISO 27001 is international. Large global customers often ask for both.