what is soc 2 type 2

SOC 2 Type 2 is a Service Organization Control (SOC) audit that outlines a companys internal controls and details how well they safeguard customer data, specifically for cloud service providers. It is one of three prevalent types of security frameworks developed by the American Institute of Certified Public Accountants (AICPA) . SOC 2 Type 2 reports examine how a companys controls perform over a period of time, usually 3-12 months, and cover both the suitability of a companys controls and its operating effectiveness. The audit covers the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type 2 report is more thorough than a SOC 2 Type 1 report, which describes the internal control policies a company has in place at a single point in time and describes their suitability. SOC 2 Type 2 reports are essential for both security and profitability, as they offer evidence that an organization is implementing the security controls they say they are and that those controls are working correctly to protect sensitive data.