SOC 2
A US auditing standard for service organisations that documents how they protect customer data across five Trust Service Criteria.
In detail
SOC 2 (Service Organisation Control 2) is a framework developed by the American Institute of CPAs (AICPA) for auditing the controls of service organisations around the five Trust Service Criteria: security, availability, processing integrity, confidentiality and privacy. A SOC 2 Type I report attests to the design of controls at a point in time. A Type II report covers the operating effectiveness of those controls over a period, typically six or twelve months. SOC 2 reports are produced by licensed CPA firms following AICPA AT-C 205 standards.
Why it matters for Australian business
Australian SaaS businesses that sell into the US market or to large enterprise clients are routinely asked for a SOC 2 Type II report, particularly in fintech, HR tech and any sector handling employee or consumer data. For Australian-only businesses the equivalent posture signal is usually ISO 27001 or the Essential Eight, which are better recognised by local boards and auditors. We advise on which certification makes sense for the target market and help build the control baseline that both require.