SOC 2 (Trust Services Criteria)

SOC 2 reports are issued by independent CPAs and assess controls relevant to the AICPA Trust Services Criteria. Type I = point-in-time design; Type II = operating effectiveness over a period (typically 6–12 months). Security (Common Criteria) is required; Availability, Processing Integrity, Confidentiality, and Privacy are optional.