SOC 2 Audit: Frequently Asked Questions
This article answers common questions about SOC 2 audits, explaining what they are, why they matter, and what Alloy’s recent certification means for customers.
SOC 2 is a widely recognized audit framework developed by the AICPA to assess how well service organizations protect customer data through defined Trust Services Criteria. This FAQ explains the difference between SOC 2 Type I and Type II, how it compares to regulations like GDPR, and what controls organizations are expected to implement.
Alloy recently completed its first SOC 2 Type I audit, demonstrating its commitment to data security and transparency through independent third-party validation.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is a framework used to evaluate how securely a service organization handles customer data.
A service organization in this context is the entity being audited.
SOC 2 was developed in 2011 by the American Institute of Certified Public Accountants (AICPA) in response to the growing need for trust in cloud services and IT outsourcing.
SOC 2 focuses on Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
Now SOC 2 is a widely recognised report, and having this report compiled by a licensed CPA firm brings plus point for the company as a technology vendor.
You can earn the title “SOC 2 certified” by proving compliance to a licensed CPA firm. They then issue a formal report, which serves as your attestation.
What exactly does SOC 2 attest?
A SOC 2 report evaluates “controls… relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
Stay connected
Follow us on LinkedIn for the latest product insights, feature previews, and more exclusive updates.
Now, all these words sound very formal and abstract and make little sense for the untrained eye. Let’s try to understand what those mean in practice.
Trust Services Criteria
Security, availability, processing integrity, confidentiality and privacy are the so-called Trust Services Criteria (TSC). TSC form the foundation of the SOC 2 evaluation framework for auditors. In simpler words, when auditors evaluate an organization, they refer to these criteria.
AICPA maintains and governs the Trust Services Criteria and updates them if needed. Each criterion includes control objectives and points of focus which show the auditors what exactly they need to “check” when evaluating an organization.
What are the organization controls which SOC 2 evaluates?
The word control here has the meaning “a device or mechanism used to regulate or guide the operation of a system”. Organization controls are the internal policies, procedures, and technical safeguards the company implements to protect data and systems.
What kind of policies, procedures, and technical safeguards can these be?
Examples of policies: disaster recovery plan, information security policy, privacy policy.
Examples of procedures: employee background checks, backup testing, access control reviews.
Examples of technical safeguards: multi-factor authentication (MFA), high availability mode.
What is the SOC 2 report needed for?
A SOC 2 report is needed to provide independent assurance that the organization has effective controls in place to protect data and systems.
Let’s say you want to start saving money. You look for a personal finance tracker, and you find one that has all the needed capabilities. How can you make sure that the information about your purchases and income remains confidential in the hands of the software provider? A SOC 2 report describing how the vendor manages customer data could be very helpful.
Individual consumers hardly ever go that far when choosing software for personal needs. But businesses, especially large ones, place more emphasis on vendor due diligence. It helps them mitigate third-party risk by verifying that vendors can safeguard sensitive data.
Why is it called SOC 2? Is there some SOC 1 or SOC 3?
Yes, it’s called SOC 2 because it’s part of a family of reports under the System and Organization Controls (SOC) framework developed by the AICPA. There are indeed SOC 1, SOC 2, and SOC 3—each designed for different purposes and audiences.
What is the difference between SOC 2 type I and type II?
The primary difference between SOC 2 Type I and SOC 2 Type II lies in the scope and timing of the audit.
A SOC 2 Type I report assesses whether controls are designed appropriately and implemented at a specific point in time. It answers the question: “Are the necessary controls in place right now?”
A SOC 2 Type II report goes deeper. It not only reviews the design of the controls but also evaluates whether they are operating effectively over a period of time, usually between 3 and 12 months. The Type II report answers the question: “Have these controls worked consistently and effectively over time?”
Is SOC Type I needed to get the SOC Type II report?
You can pursue SOC 2 Type II directly if your organization has controls in place and can demonstrate their effectiveness over time. Type I is helpful—but not required—as a precursor.
Type I is often used as a “readiness milestone”. It helps organizations identify gaps in controls before committing to the longer Type II audit window.
What is the difference between SOC 2 and GDPR and other data protection legislations?
- Mandatory restrictions vs. voluntary audits: SOC 2 is a voluntary audit framework developed by an authoritative body in the industry, while GDPR and other data protection laws (like HIPAA or CCPA) are legal requirements imposed by governments.
- Scope: SOC 2 focuses broadly on security, availability, confidentiality, privacy, and processing integrity, and is applicable to any organization providing services that handle customer data. GDPR, on the other hand, specifically governs the handling of personal data of individuals within the EU, while HIPAA ensures secure handling of sensitive medical information.
- The goal vs. The means of achieving it: SOC 2 is often used to support or complement compliance with regulations like GDPR by providing documented evidence of strong internal controls. However, passing a SOC 2 audit does not automatically mean a company is GDPR-compliant.
Alloy’s SOC 2 report
In Apil 2025, we’ve undergone our first SOC 2 audit!
An independent CPA firm conducted a thorough audit of our internal controls, policies, and procedures. The audit confirmed that our systems are secure, reliable, and well-documented.
This was a type I SOC 2 audit, and we’re preparing for type II as we speak.
What does this mean for our customers?
As we’ve already explained above, by passing the SOC 2 audit, a company can show that it takes security seriously and follows trusted standards to keep your data safe, available, and private.
What’s more:
- This validation comes from an objective, third-party source—you don’t have to take our word for it. In our case, it was Thoropass (previously Laika).
- You can request a copy of the report in our Trust Center and explore detailed information about our cybersecurity efforts.
- If your management needs more information about Alloy as a vendor, the Trust Center serves as a one-stop shop. It offers standardized documentation that verifies our approach to managing cybersecurity risks.
Key takeaways
- What is SOC 2: SOC 2 is a voluntary compliance framework developed by the AICPA to evaluate how well an organization safeguards customer data across five key areas: security, availability, processing integrity, confidentiality, and privacy.
- What does getting SOC 2 mean for Alloy Software: Alloy Software has successfully completed its SOC 2 Type I audit, confirming that its internal controls, policies, and systems meet trusted standards for protecting data.
- How it helps our customers: The SOC 2 report supports procurement and due diligence processes by providing standardized documentation that demonstrates Alloy’s commitment to cybersecurity and operational excellence. Learn more in Alloy’s Trust Center.
