Glossary
SOC 2
An auditing framework from the AICPA for service organizations, evaluating controls across security, availability, processing integrity, confidentiality, and privacy.
SOC 2 is the de facto baseline for B2B SaaS in the United States. It is not a regulation — it is an auditing framework. A SOC 2 report is the output of an auditor's evaluation of your controls against five Trust Service Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy (each optional, scoped to what the customer cares about).
There are two report types. SOC 2 Type I is a point-in-time snapshot — your controls were designed correctly on date X. SOC 2 Type II is an observation period (typically 6 to 12 months) — your controls operated effectively over a window. Enterprise procurement teams almost always require Type II.
For an AI system, SOC 2 raises specific questions: how do you isolate customer data, how do you log and review access to that data, how do you handle sub-processors (the LLM provider, the vector database, the embedding endpoint), and how do you respond when one of them changes their security posture. Each of these maps to one or more SOC 2 controls.
The practical advice: design for SOC 2 from day one if your customers will require it. Retrofitting SOC 2 onto a system that was not designed for it is expensive and slow. The biggest cost line items are typically logging infrastructure, access review automation, and the people-time for the audit period.
Related terms
Audit Logging for AI
Recording every model invocation — the requesting user, the input, the retrieved context, the model's output, and the tools it called — in a tamper-evident log.
HIPAA-Aligned AI
AI systems designed so that protected health information (PHI) flows only through HIPAA-eligible services, with audit logging, access controls, and BAA coverage end-to-end.