Trust Services Criteria
Security (required) plus any of Availability, Confidentiality, Processing Integrity and Privacy.
The trust report North American buyers ask for.
SOC 2 is an attestation, performed by a licensed CPA firm, against the AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. A Type I report assesses design at a point in time; Type II assesses operating effectiveness over a period.
The standard
SOC 2 — AICPA Trust Services Criteria
Who needs it
SaaS and technology vendors — particularly selling into the US — whose customers require independent assurance over how they safeguard data.
5
Trust Services Criteria covered
Security (required) plus any of Availability, Confidentiality, Processing Integrity and Privacy.
Design at a moment (I) versus operating effectiveness across a window, usually 3–12 months (II).
Type II demands sampled evidence throughout the period — continuous collection is essential.
Access reviews, change management and incident response mapped to the criteria.
See exactly how Compliance One maps SOC 2 to your environment in a 30-minute walkthrough.