nexalign

Glossary term

SOC 2 Type 2

Also: Service Organization Control 2, SOC 2 Type II

Audit report by a US public accountant under AICPA SSAE 18 standard, confirming the operating effectiveness of a service organisation's controls over a period (typically 6-12 months). Refers to Trust Service Criteria.

SOC 2 distinguishes Type 1 (design at a point in time) from Type 2 (operating effectiveness over a period). Trust Service Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy.

De facto validity 12 months, then follow-up audit. Report not public but available under NDA. Standard in the US cloud market, often additionally combined with C5 Type 2 in the EU banking market.

In vendor selection: SOC 2 Type 2 is the minimum baseline for SaaS providers. Without the report, a vendor typically fails the DORA Art. 28 eligibility assessment.

Related terms

ISO 27001

International standard for information security management systems. Current version ISO/IEC 27001:20

BSI C5

Cloud audit catalogue of the German BSI that defines minimum security baseline and transparency duti

SASE

Gartner architecture category combining network (SD-WAN) and security functions (SWG, CASB, ZTNA, FW

SBOM

Machine-readable inventory of all components in a software incl. versions, licences and dependencies

Schrems II

CJEU ruling of 16 July 2020 that invalidated the EU-US Privacy Shield and only allowed Standard Cont

SIEM (Security Information and Event Management)

A platform that centralises security logs, enables long-term retention, runs correlation rules and s

Sovereign cloud

A cloud deployment model that guarantees operational, legal and technical control of data and worklo

SSE

Subset of SASE without SD-WAN. Bundles SWG, CASB, ZTNA and (increasingly) DLP/RBI in a cloud platfor

← All termsBook a demo →