Definition
SOC 2
SOC 2 is an auditing standard from the AICPA that assesses how a service organization handles customer data against five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report, produced by an independent auditor, is the common way SaaS vendors demonstrate to customers that their controls are designed and operating effectively.
Key takeaways
- SOC 2 is an AICPA auditing standard evaluating how a service organization protects customer data against five trust service criteria.
- Security is the only mandatory criterion; availability, processing integrity, confidentiality, and privacy are added based on the service.
- A Type I report attests control design at a point in time; a Type II — what enterprises usually require — attests effectiveness over months.
- It signals operational maturity and is often a prerequisite for selling to security-conscious enterprise buyers.
SOC 2 (Service Organization Control 2) is not a checklist of mandatory controls but a framework: each organization defines controls appropriate to its business, and an independent auditor evaluates them against the relevant Trust Service Criteria. Security is the only mandatory criterion; the others — availability, processing integrity, confidentiality, and privacy — are included based on what the service handles.
There are two report types, and the distinction matters. A Type I report attests that controls are suitably designed at a single point in time. A Type II report — the one enterprise buyers usually require — attests that those controls operated effectively across an observation period, typically several months to a year, which is a far stronger assurance.
Achieving SOC 2 is a process: an organization establishes controls (access management, change management, encryption, monitoring, incident response), collects evidence that they run continuously, and then undergoes the audit. It signals operational maturity and is often a prerequisite to selling into security-conscious enterprises.
Planoda is pursuing SOC 2 Type II certification, with audit work in progress and certification targeted for the fourth quarter of 2026.
Related terms
- GDPRThe General Data Protection Regulation is the European Union's comprehensive data-protection law, in force since 2018. It governs how organizations collect, process, and store the personal data of people in the EU, granting individuals rights over their data — access, correction, deletion, portability — and imposing strict obligations on data handlers, backed by fines of up to 4% of global annual revenue.
- Encryption at RestEncryption at rest protects data while it is stored — on disks, in databases, in backups — by keeping it encrypted so that anyone who gains physical or low-level access to the storage cannot read it without the keys. It complements encryption in transit, which protects data moving over the network, to give end-to-end protection across a data's lifecycle.
- Audit TrailAn audit trail is an append-only, time-ordered record of who did what, when, and to which object across a system. Every create, edit, delete, and approval is logged immutably, so any state can be traced back to the actions that produced it. Audit trails underpin accountability, debugging, compliance, and — increasingly — oversight of what AI agents do.
- Principle of Least PrivilegeThe principle of least privilege holds that every user, service, or process should be granted only the minimum permissions needed to do its job — and nothing more. By default-denying access and granting narrowly, you shrink the attack surface: a compromised account or buggy component can only reach what it was explicitly allowed, limiting the blast radius of any failure.
- SSO (Single Sign-On)Single sign-on (SSO) lets users access many applications with one set of credentials, authenticating through a central identity provider instead of a separate login per app. Sign in once and you're recognized everywhere connected. SSO improves security and user experience at once — fewer passwords to reuse or forget, and centralized control over who can access what.