SOC 2

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA. It evaluates an organization's controls across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 compliance is increasingly required by enterprise buyers, especially in SaaS. There are two types: Type I (point-in-time assessment) and Type II (assessment over a period, typically 6-12 months). Achieving SOC 2 requires documented security policies, access controls, encryption, monitoring, and incident response procedures — all of which must be baked into the architecture, not bolted on later.