[{"data":1,"prerenderedAt":321},["ShallowReactive",2],{"blog-glossary/soc2":3},{"id":4,"title":5,"body":6,"category":296,"date":297,"dateModified":297,"description":298,"draft":299,"extension":300,"faq":301,"featured":299,"headerVariant":305,"image":306,"keywords":306,"meta":307,"navigation":308,"ogDescription":309,"ogTitle":310,"path":311,"readTime":312,"schemaOrg":313,"schemaType":314,"seo":315,"sitemap":316,"stem":317,"tags":318,"twitterCard":319,"__hash__":320},"blog/blog/glossary/soc2.md","What is SOC 2? SaaS Compliance Basics",{"type":7,"value":8,"toc":286},"minimark",[9,16,21,24,28,103,107,147,151,196,205,209,233,255,274],[10,11,12],"tldr",{},[13,14,15],"p",{},"SOC 2 is a compliance framework for service organizations that proves you protect customer data. It covers five trust service criteria: security (required), availability, processing integrity, confidentiality, and privacy. Enterprise customers commonly require SOC 2 reports before purchasing SaaS products. Getting certified involves implementing controls and passing an audit by a CPA firm.",[17,18,20],"h2",{"id":19},"the-simple-explanation","The Simple Explanation",[13,22,23],{},"Enterprise customers want proof that your SaaS product is secure. SOC 2 is that proof. An independent auditor examines your security controls and issues a report. You share that report with customers during sales. It is the standard security checkbox for B2B SaaS.",[17,25,27],{"id":26},"trust-service-criteria","Trust Service Criteria",[29,30,31,47],"table",{},[32,33,34],"thead",{},[35,36,37,41,44],"tr",{},[38,39,40],"th",{},"Criteria",[38,42,43],{},"Focus",[38,45,46],{},"Required?",[48,49,50,62,73,83,93],"tbody",{},[35,51,52,56,59],{},[53,54,55],"td",{},"Security",[53,57,58],{},"Protection against unauthorized access",[53,60,61],{},"Yes",[35,63,64,67,70],{},[53,65,66],{},"Availability",[53,68,69],{},"System uptime and reliability",[53,71,72],{},"No",[35,74,75,78,81],{},[53,76,77],{},"Processing Integrity",[53,79,80],{},"Data processing accuracy",[53,82,72],{},[35,84,85,88,91],{},[53,86,87],{},"Confidentiality",[53,89,90],{},"Protecting confidential information",[53,92,72],{},[35,94,95,98,101],{},[53,96,97],{},"Privacy",[53,99,100],{},"Personal data handling",[53,102,72],{},[17,104,106],{"id":105},"type-i-vs-type-ii","Type I vs Type II",[108,109,111,114,130,133],"prompt-box",{"title":110},"Key differences",[13,112,113],{},"Type I:",[115,116,117,121,124,127],"ul",{},[118,119,120],"li",{},"Point-in-time assessment",[118,122,123],{},"\"Are controls designed correctly?\"",[118,125,126],{},"Faster to obtain (1-3 months)",[118,128,129],{},"Good starting point",[13,131,132],{},"Type II:",[115,134,135,138,141,144],{},[118,136,137],{},"Period of time (3-12 months)",[118,139,140],{},"\"Did controls operate effectively?\"",[118,142,143],{},"More valuable to customers",[118,145,146],{},"Usually required for enterprise deals",[17,148,150],{"id":149},"common-soc-2-controls","Common SOC 2 Controls",[115,152,153,160,166,172,178,184,190],{},[118,154,155,159],{},[156,157,158],"strong",{},"Access control:"," Role-based access, MFA, access reviews",[118,161,162,165],{},[156,163,164],{},"Change management:"," Code reviews, deployment procedures",[118,167,168,171],{},[156,169,170],{},"Incident response:"," Documented procedures, testing",[118,173,174,177],{},[156,175,176],{},"Encryption:"," Data at rest and in transit",[118,179,180,183],{},[156,181,182],{},"Monitoring:"," Logging, alerting, log retention",[118,185,186,189],{},[156,187,188],{},"Vendor management:"," Third-party assessments",[118,191,192,195],{},[156,193,194],{},"Employee security:"," Background checks, training",[197,198,199],"warning-box",{},[13,200,201,204],{},[156,202,203],{},"SOC 2 is ongoing."," After your first report, you need annual audits to maintain compliance. Set up continuous monitoring and evidence collection from the start.",[17,206,208],{"id":207},"getting-soc-2-certified","Getting SOC 2 Certified",[210,211,212,215,218,221,224,227,230],"ol",{},[118,213,214],{},"Choose which trust service criteria to include",[118,216,217],{},"Perform gap assessment against requirements",[118,219,220],{},"Implement missing controls and policies",[118,222,223],{},"Collect evidence of control operation",[118,225,226],{},"Select and engage a CPA firm",[118,228,229],{},"Complete the audit",[118,231,232],{},"Receive your SOC 2 report",[234,235,236,243,249],"faq-section",{},[237,238,240],"faq-item",{"question":239},"What is the difference between SOC 2 Type I and Type II?",[13,241,242],{},"Type I evaluates if controls are properly designed at a specific point in time. Type II evaluates if controls operated effectively over a period (usually 3-12 months). Type II is more valuable to customers because it shows sustained compliance, not just a snapshot.",[237,244,246],{"question":245},"How long does it take to get SOC 2 certified?",[13,247,248],{},"For Type I, typically 1-3 months if you already have controls in place. For Type II, add the observation period (usually 6-12 months) plus audit time. Total timeline is often 9-15 months for first Type II. Using compliance automation platforms can speed up preparation.",[237,250,252],{"question":251},"Which trust service criteria do I need?",[13,253,254],{},"Security is required for all SOC 2 reports. The other four (availability, processing integrity, confidentiality, privacy) are optional. Most SaaS companies include Security and Availability at minimum. Add others based on customer requirements and what data you handle.",[256,257,258,264,269],"related-articles",{},[259,260],"related-card",{"description":261,"href":262,"title":263},"Meeting requirements","/blog/glossary/compliance","Compliance",[259,265],{"description":266,"href":267,"title":268},"The SOC 2 process","/blog/glossary/security-audit","Security Audit",[259,270],{"description":271,"href":272,"title":273},"Required for SOC 2","/blog/glossary/audit-log","Audit Log",[275,276,279,283],"cta-box",{"href":277,"label":278},"/","Start Free Scan",[17,280,282],{"id":281},"prepare-for-soc-2","Prepare for SOC 2",[13,284,285],{},"Find security gaps before your audit.",{"title":287,"searchDepth":288,"depth":288,"links":289},"",2,[290,291,292,293,294,295],{"id":19,"depth":288,"text":20},{"id":26,"depth":288,"text":27},{"id":105,"depth":288,"text":106},{"id":149,"depth":288,"text":150},{"id":207,"depth":288,"text":208},{"id":281,"depth":288,"text":282},"glossary","2026-01-12","Learn what SOC 2 is, the trust service criteria, and how to get SOC 2 certified for your SaaS company.",false,"md",[302,303,304],{"question":239,"answer":242},{"question":245,"answer":248},{"question":251,"answer":254},"green",null,{},true,"SOC 2 is the most common security compliance for SaaS companies. Learn what it requires.","What is SOC 2?","/blog/glossary/soc2","5 min read","[object Object]","DefinedTerm",{"title":5,"description":298},{"loc":311},"blog/glossary/soc2",[],"summary_large_image","9u-OM4459F2m_jMNTjnWTvbihUJRQX5EcO3mGvoxN1c",1775843922149]