SOC 2 compliance
SOC 2 is the report your US enterprise buyers ask for before they will sign. Scadable gets you audit-ready and through the audit.
What is SOC 2?
SOC 2 is an independent attestation, defined by the AICPA, that your controls meet the Trust Services Criteria for handling customer data. It is not a certificate, it is a report written by a licensed CPA firm after they examine your controls.
The five Trust Services Criteria
Security is the required baseline, joined by Availability, Processing Integrity, Confidentiality, and Privacy. Most companies start with Security and add the others as buyers demand them.
Type I vs Type II
A Type I report attests that your controls are designed appropriately at a point in time. A Type II report attests that they operated effectively over a period, commonly three to twelve months. Enterprise buyers usually want Type II.
Who needs SOC 2?
SaaS and technology vendors, especially those selling to US enterprises. It is frequently the gate that has to clear before a deal closes.
How Scadable gets you there
Scadable continuously collects the evidence, fixes the technical gaps, prepares the documentation mapped to the criteria, and lines up the audit with a vetted partner. You review and approve.
Frequently asked questions
- Is SOC 2 a certification?
- No. It is an attestation report issued by a licensed CPA firm, not a certificate.
- What is the difference between Type I and Type II?
- Type I is control design at a point in time. Type II is operating effectiveness over a period, commonly three to twelve months.
- How long does SOC 2 take?
- A Type I can be a few weeks. A Type II needs an observation window, commonly three to twelve months.
- Do I need SOC 2 to sell in the EU?
- The EU leans on the CRA and ISO 27001. SOC 2 is primarily a North American buyer requirement.