All frameworks
SOCType I & II

SOC 2 compliance

The trust report North American buyers ask for.

SOC 2 is an attestation, performed by a licensed CPA firm, against the AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. A Type I report assesses design at a point in time; Type II assesses operating effectiveness over a period.

See how it works

The standard

SOC 2 — AICPA Trust Services Criteria

Who needs it

SaaS and technology vendors — particularly selling into the US — whose customers require independent assurance over how they safeguard data.

5

Trust Services Criteria covered

What it covers

Trust Services Criteria

Security (required) plus any of Availability, Confidentiality, Processing Integrity and Privacy.

Type I vs Type II

Design at a moment (I) versus operating effectiveness across a window, usually 3–12 months (II).

Evidence over time

Type II demands sampled evidence throughout the period — continuous collection is essential.

Auditor-ready workflows

Access reviews, change management and incident response mapped to the criteria.

How Compliance One helps

  • Maps your controls to the Trust Services Criteria and flags gaps before your auditor does.
  • Continuously captures timestamped evidence across the full Type II observation window.
  • Automates recurring tasks — access reviews, vendor reviews — so nothing lapses mid-period.
  • Reuses the same evidence to satisfy ISO 27001 and other frameworks in parallel.
One control set, many frameworks. Evidence you collect for SOC 2 is automatically reused across the other standards you run — do the work once, prove it everywhere.

Ready to tackle SOC 2?

See exactly how Compliance One maps SOC 2 to your environment in a 30-minute walkthrough.