Framework library / SOC 2
Data & Security · regulatory framework
SOC 2 — AICPA Trust Services Criteria.
The de-facto North American security attestation — vendor management evidence is sampled in every Type II audit.
What it is
SOC 2 is an attestation report against the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Type II examines whether controls operated over a period — including vendor management controls: assessing, contracting and monitoring the subservice organizations and suppliers you rely on.
Who it applies to
SaaS and services companies undergoing customer security review, and the vendors they must in turn monitor.
The evidence auditors expect
- Vendor inventory with risk tiering
- Vendor security assessments and review cadence records
- Contracts and certificates for critical vendors, current not expired
- Evidence that vendor issues were tracked to resolution
How ComplianceFlow keeps you ready
- The vendor inventory, tiering and review evidence live in one system with the complete history
- Automated reminders keep assessments and certificates inside their review windows
- Auditor sampling becomes an export, not an email hunt
Related frameworks
See SOC 2 evidence assemble itself.
ComplianceFlow keeps a living copy of SOC 2 mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.
Book a demo Get the audit checklist
TraceR2C