What is SOC 2?
SOC 2 is an attestation report on the controls a service organization uses to protect customer data. It is part of the AICPA’s System and Organization Controls framework and is performed under the attestation standard SSAE 18. The work is carried out by a licensed CPA firm, and the deliverable is a report containing the auditor’s opinion on whether your controls meet the criteria you are reporting against.
The single most important thing to understand is that SOC 2 is not a certification. There is no "SOC 2 certificate" and no body that certifies you. You are not "SOC 2 certified" — you have a SOC 2 report. The distinction is not pedantry: it changes what you can claim, what a customer is actually reviewing, and how the whole process is structured. An auditor is not stamping a pass; they are forming and writing down a professional opinion about your system.
Because it is a report rather than a badge, the contents matter. A SOC 2 report includes a description of your system, the controls you have in place, the tests the auditor performed, the results of those tests, and the opinion they reached. A prospect’s security team reads the report; they do not just check a box that says you have one.
SOC 1 vs SOC 2 vs SOC 3
These get confused, so it is worth being precise. SOC 1 reports on controls relevant to a customer’s financial reporting: it exists for service organizations that affect their clients’ books. SOC 2 reports on controls relevant to security, availability, processing integrity, confidentiality and privacy — it is the one SaaS and cloud vendors are usually asked for. SOC 3 is a short, public-facing summary of a SOC 2 examination that you can share freely, without the detailed system description and test results that make a full SOC 2 report confidential.