SOC 2
A third-party audit certifying a service provider handles customer data with defined security, availability, and confidentiality controls.
A third-party audit certifying a service provider handles customer data with defined security, availability, and confidentiality controls.
Basic
SOC 2 is an audit framework from the American Institute of CPAs (AICPA). A provider passes a Type II audit by demonstrating that its security controls operate effectively over 6-12 months. Enterprise buyers treat SOC 2 Type II as the baseline for letting any AI provider process sensitive data. Most frontier model APIs (OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI) hold current SOC 2 reports.
Deep
SOC 2 is an attestation framework defined by AICPA. Providers are audited against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type I report covers a point in time; a Type II covers a 6 to 12 month operating period and is what enterprise procurement asks for. Most major AI providers maintain annual SOC 2 Type II reports. Smaller or newer providers without SOC 2 are effectively blocked from regulated verticals (healthcare, finance, government). SOC 2 alone does not cover HIPAA (health) or FedRAMP (US federal), which layer on top.
Expert
SOC 2 reports are issued by licensed CPAs under SSAE 18 AT-C 205. The five Trust Services Criteria (TSC) map to 64 points of focus that auditors test via control evidence over the audit period. Type I = design only; Type II = design + operating effectiveness. Cloud AI providers typically scope SOC 2 around the data-plane and control-plane services; customer-written application code is out of scope. A modified or qualified opinion in the report is a red flag that requires remediation review. Public SOC 2 reports live under NDA; most providers share via their Trust Centers.
Depending on why you're here
- ·SOC 2 = AICPA audit for service provider security controls
- ·Type II covers 6-12 month operating effectiveness
- ·Five TSC: Security / Availability / Processing Integrity / Confidentiality / Privacy
- ·Ask any AI provider for current SOC 2 Type II report before sending PII
- ·Unsigned providers are blocked from most enterprise procurement
- ·See /pricing/soc2 for a filtered list of SOC 2 providers
- ·SOC 2 is table-stakes · lack of it caps enterprise TAM
- ·New entrants typically achieve SOC 2 within 12-18 months of launch
- ·Watch for qualified opinions as a sign of ops immaturity
- ·A security badge that says "we handle data responsibly"
- ·Enterprise buyers require it before signing contracts
- ·OpenAI, Anthropic, Google, Microsoft all have it
Often confused with
ISO 27001 is an international standard certifying an ISMS. SOC 2 is a US-centric attestation report. Many enterprises ask for both.
No SOC 2 Type II = no enterprise deal. Every serious AI provider carries it.