SOC 2 is an attestation report, defined by the American Institute of Certified Public Accountants (AICPA), that describes how a service organization manages customer data against a set of Trust Services Criteria. It is not a certification and not a government mandate; it is an independent CPA firm's opinion on whether your controls are designed appropriately (Type I) and operating effectively over time (Type II). Most SaaS and cloud vendors pursue SOC 2 because enterprise buyers ask for it during procurement. This FAQ answers the questions we hear most often, and notes honestly where Safeguard itself sits: our platform architecture is built for FedRAMP HIGH and DoD Impact Level deployment, and our own SOC 2 Type II audit is in progress.
Frequently Asked Questions
What is SOC 2 and who actually needs it? SOC 2 (System and Organization Controls 2) is an AICPA attestation standard for service organizations that store, process, or transmit customer data. You "need" it when your enterprise customers make it a condition of the contract, which is common for SaaS, infrastructure, and data-processing vendors. There is no legal obligation to hold SOC 2, but the absence of a report increasingly stalls B2B sales cycles.
Is SOC 2 a certification? No. SOC 2 results in an attestation report signed by a licensed CPA firm expressing an opinion, not a pass/fail certificate. You should be skeptical of any vendor claiming to be "SOC 2 certified"; the correct phrasing is "SOC 2 Type II report" or "SOC 2 attestation." The distinction matters because a report contains the auditor's actual findings, which a customer's security team can read and evaluate.
What is the difference between SOC 2 Type I and Type II? A Type I report evaluates whether your controls are suitably designed at a single point in time. A Type II report evaluates whether those controls operated effectively across an observation period, typically three to twelve months, and is the report enterprise buyers usually want. Type I is often used as a first milestone on the way to Type II, not as a destination.
What are the five Trust Services Criteria? The five criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only Security (the Common Criteria, CC1 through CC9) is mandatory in every SOC 2 report; the other four are included based on your commitments to customers. Most vendors scope Security plus Availability and Confidentiality, adding Privacy or Processing Integrity when their product handles regulated or transactional data.
How long does the Type II observation period have to be? The auditor tests control operation over a defined window, most commonly three, six, or twelve months. First-time reports frequently use a shorter three-to-six-month window to reach an initial report faster, then move to a rolling twelve-month cycle for renewals. The controls must be demonstrably operating for the entire period, so the clock does not start until your controls are actually live.
Who is allowed to perform a SOC 2 audit? Only a licensed CPA firm can issue a SOC 2 report, because it is an attestation engagement under AICPA standards. Compliance-automation platforms and readiness consultants can prepare you, but they cannot sign the opinion. When you evaluate an auditor, confirm they are an AICPA member firm and ask for a redacted sample report.
What evidence do SOC 2 auditors actually test? Auditors sample real artifacts tied to each control: access-review records, change-management tickets, onboarding and offboarding logs, incident records, vulnerability-scan results, and remediation timelines. The recurring failure is not missing policies but missing evidence that the policy was followed on specific dates. Safeguard produces continuous, timestamped vulnerability and remediation evidence through software composition analysis, so the change-management and vulnerability-management controls have an audit trail auditors can sample directly.
How does SOC 2 relate to vulnerability management? The Common Criteria include change management and risk mitigation, and auditors routinely map vulnerability identification and remediation to CC7 (system operations) and CC8 (change management). You need to show that vulnerabilities are detected, triaged, and remediated within your stated SLAs, with dated evidence. Continuous scanning with recorded remediation dates turns this from a scramble into a query.
Do we need an SBOM for SOC 2? SOC 2 does not explicitly require a software bill of materials, but an SBOM is one of the cleanest ways to evidence that you track third-party components and their known vulnerabilities. It supports the risk-assessment and vendor-management criteria and shortens the customer security questionnaires that follow the report. Safeguard's SBOM Studio generates and version-controls SBOMs so component inventory is always current rather than reconstructed at audit time.
How is SOC 2 different from ISO 27001? ISO 27001 is a certifiable international standard for an information security management system (ISMS), with a certificate issued by an accredited body. SOC 2 is an AICPA attestation report with an auditor's opinion, more common in North American procurement. They overlap heavily on controls, so many organizations pursue both and reuse evidence across them.
What is a bridge letter? A bridge letter (or gap letter) is a document, written by your management rather than the auditor, that covers the gap between the end of your report's observation period and the customer's current date. It states that no material changes to controls occurred in the interim. It is a stopgap, not evidence, and customers will still expect a fresh report on your annual cycle.
What causes a qualified opinion? A qualified opinion means the auditor found one or more controls that did not operate effectively during the period. Common triggers are access reviews that were not performed on schedule, change tickets missing approvals, and vulnerabilities left open past the organization's own remediation SLA. Automating the evidence for these high-frequency controls is the most reliable way to avoid a qualification.
Is Safeguard itself SOC 2 compliant? We are honest about our posture: Safeguard's SOC 2 Type II audit is in progress, and our platform is architected for FedRAMP HIGH and DoD Impact Level deployment from the ground up. We use our own product to generate our continuous compliance evidence, which is part of why we can speak to the auditor's perspective in this FAQ.
How does Safeguard help produce SOC 2 evidence? Safeguard maps policy gates and continuous vulnerability evidence to the Trust Services Criteria so the CC7 and CC8 controls are backed by dated, exportable artifacts. Our compliance workspace organizes findings, SBOMs, and remediation history into an evidence pack an auditor can sample, reducing the manual screenshot-gathering that dominates most first audits.
Related reading: compare deployment tiers on the pricing page, and read the full product documentation at docs.safeguard.sh.