SOC 2 Type II
AICPA SOC 2 Type II – Trust Services Criteria Audit
Annual third-party audit of security, availability, processing integrity, confidentiality, and privacy controls over a minimum 6-month observation period.
What this covers
SOC 2 Type II is an audit report produced by an independent CPA firm under the AICPA Trust Services Criteria. It covers five categories: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy – the latter four are optional but typically included by KYC vendors handling PII.
The distinction between Type I and Type II matters for B2B procurement. Type I confirms that controls are designed correctly at a single point in time. Type II adds an observation period of at least six months – the auditor tests whether those controls actually worked throughout. Most enterprise procurement teams require Type II with a report date within the past 12 months.
SOC 2 reports are confidential. Vendors share them under NDA or via their trust center. If a vendor says they're "SOC 2 compliant" but won't produce the report, that's a yellow flag. "In progress" or "pursuing" means they don't have one yet.
Frequently asked questions
What is the difference between SOC 2 Type I and Type II?
Type I validates that controls are suitably designed at a single point in time. Type II validates that controls operated effectively over an observation period of at least six months. B2B buyers should require Type II.
Can I request a SOC 2 Type II report from a vendor?
Yes. SOC 2 reports are confidential but routinely shared under NDA. Vendors with active reports typically disclose this on their Trust Center or will provide on request during procurement.
How often is SOC 2 Type II renewed?
Annual re-audit is standard. Reports older than 12 months should be treated as expired – request the date of the most recent report when evaluating vendors.