Knowledge Base

Learn more about our service offerings.
31.12.25

What Does the SOC 2 Type 2 Certification Verify?

SOC 2 Type 2 evaluates controls against the Trust Services Criteria, which commonly include the following areas.


1. Security

Security controls ensure systems are protected against unauthorized access, misuse, or compromise.

Auditors evaluate controls such as:

  • Logical access controls and authentication
  • Role-based permissions and least-privilege enforcement
  • Firewall and network segmentation practices
  • Incident detection and response procedures
  • Vulnerability management and patching workflows

These controls demonstrate that customer systems and data are protected from internal and external threats.


2. Availability

Availability controls verify that systems are designed and operated to remain accessible as committed.

This typically includes:

  • Infrastructure redundancy and fault tolerance
  • Capacity planning and performance monitoring
  • Backup and recovery processes
  • Incident escalation and response procedures
  • Maintenance and change scheduling

For customers, this provides confidence that services are resilient and operational continuity is actively managed.


3. Confidentiality

Confidentiality controls ensure sensitive data is protected throughout its lifecycle.

Auditors review:

  • Data classification and handling policies
  • Encryption in transit and at rest
  • Access restrictions for sensitive systems
  • Secure disposal and data retention practices

These controls are especially important for customers handling proprietary, regulated, or customer-owned data.


4. Processing Integrity (When Applicable)

Processing integrity controls validate that systems process data accurately, completely, and in a timely manner.

This may include:

  • Change management controls
  • System validation and testing procedures
  • Monitoring for errors or failed processes

These controls help ensure infrastructure behaves predictably and reliably.


5. Privacy (When In Scope)

When applicable, privacy controls evaluate how personal data is collected, used, retained, and protected in accordance with stated policies and applicable regulations.


Why the Type 2 Designation Matters

The Type 2 designation is critical.

Rather than evaluating controls at a single point in time, auditors:

  • Test controls across months of real operation
  • Review logs, tickets, approvals, and alerts
  • Validate consistency, not one-time compliance

This confirms that security and reliability are embedded into daily operations, not applied temporarily for audit purposes.