Framework library / SOC 2

Data & Security · regulatory framework

SOC 2 — AICPA Trust Services Criteria.

The de-facto North American security attestation — vendor management evidence is sampled in every Type II audit.

What it is

SOC 2 is an attestation report against the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Type II examines whether controls operated over a period — including vendor management controls: assessing, contracting and monitoring the subservice organizations and suppliers you rely on.

Who it applies to

SaaS and services companies undergoing customer security review, and the vendors they must in turn monitor.

The evidence auditors expect

How ComplianceFlow keeps you ready

Related frameworks

ISO 27001NIST CSF21 CFR Part 11

See SOC 2 evidence assemble itself.

ComplianceFlow keeps a living copy of SOC 2 mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.

Book a demo Get the audit checklist