TL;DR: SOC 2 is an independent audit (not a certification) that makes sure a company’s data security controls meet specific Trust Services Criteria. Type II reports (testing controls over 3-12 months) are the enterprise standard. The framework covers five criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy.
Think of SOC 2 like a home inspection for your data security. Just as a home buyer hires an inspector to test electrical systems, plumbing, and structural integrity rather than accepting the seller’s claims, SOC 2 auditors examine your actual security measures, run tests, and document their findings in a formal report.
SOC 2 works the same way for companies that handle customer data. If you’re building a SaaS product on Bubble, managing a cloud service, or running any business that stores or processes other people’s information, your customers want proof that you’re protecting their data properly. They’re asking for your SOC 2 report before they’ll sign a contract, especially if they’re enterprise buyers.
This guide covers what SOC 2 compliance actually means, why it matters more in 2026 than ever before, the five Trust Services Criteria you can be assessed against, the critical difference between Type I and Type II reports, how to prepare for an audit, and how to read and evaluate SOC 2 reports from your own vendors.
What is SOC 2 compliance?
SOC 2 is an independent attestation (not a certification) issued by licensed Certified Public Accountant (CPA) firms that verifies your organization’s controls meet specific criteria for protecting customer data. An outside auditor examines your actual systems, tests your controls, and issues a formal report. Rather than a certification you can frame on the wall, you get detailed documentation that shows whether your security controls are designed properly and working effectively over time.
The framework comes from the American Institute of Certified Public Accountants (AICPA). While voluntary, enterprise customers increasingly require it from any vendor handling their data. SOC 2 applies to service organizations — companies that provide services to other businesses and handle their data.
Your customers don’t have to take your word for it when you say your security is solid. They can read the auditor’s opinion and see exactly what was tested. This is what makes SOC 2 different from a simple security questionnaire or self-assessment.
Why SOC 2 compliance matters in 2026
Enterprise buyers now expect SOC 2 Type II reports as baseline documentation before signing contracts, with 42% of organizations mandating SOC 2 or ISO certifications from vendors. What used to be “nice to have” has become table stakes for B2B software sales. Without a current report ready, you’ll lose deals to competitors who have one.
SOC 2 reports also simplify vendor management by replacing those long security questionnaires. Instead of answering 200 questions about your security practices for every new customer, you hand over a single report that covers everything in detail. This speeds up your sales cycle significantly: Enterprise procurement teams can review your SOC 2 report in days rather than spending weeks or months going back and forth on questionnaires.
Beyond sales, SOC 2 brings real internal governance benefits. It forces you to document security policies and procedures systematically. Many fast-growing startups handle security ad-hoc until they pursue SOC 2. The audit process reveals gaps, documents what’s actually working, and creates accountability through regular testing.External auditors spot control gaps before they turn into breaches, catching misconfigurations, missing documentation, and process weaknesses that your internal team often overlooks.
AI integrations and third-party data flows have completely changed what “in scope” means for most organizations. IBM’s 2025 Cost of a Data Breach Report found that 63% of organizations lack AI governance policies. So when AI systems or third-party vendors process customer data, they’re part of your SOC 2 scope and need appropriate controls.
And while it’s not technically an AICPA requirement, many buyers will ask for extra documentation (sometimes called bridge letters in practice) that covers the gap between your report’s end date and today, plus proof that you’re continuously monitoring things between annual audits.
When you build on Bubble, you inherit SOC 2 Type II compliant infrastructure, which automatically strengthens your own compliance posture and helps you close enterprise deals faster.
What are the Trust Services Criteria?
The Trust Services Criteria (TSC) are the five areas SOC 2 can assess. Think of them as different lenses for examining how you protect your data. Security is mandatory; every SOC 2 report must include it. The other four are optional: You select them based on what matters to your customers and your business model.
The AICPA defines specific control objectives for each criterion, and your auditor will test whether your controls actually meet them.
Security
Security covers how you protect systems and data from unauthorized access. This means user authentication, access controls, system monitoring, vulnerability management, and incident response procedures. Every organization must include security in their SOC 2 scope.
Controls typically include multi-factor authentication for system access, role-based permissions that limit who can see what, security scanning to identify vulnerabilities, and documented procedures for responding to security incidents. Your auditor will test whether these controls exist and whether they work consistently.
Availability
Availability measures whether your systems are accessible and usable when customers need them. This criterion matters most for SaaS platforms and critical infrastructure where downtime directly impacts customers’ operations.
Typical controls include uptime monitoring, capacity planning, disaster recovery procedures, and backup systems. Your auditor verifies that you track availability metrics, test your backups regularly, and have documented plans for recovering from outages.
Processing integrity
Processing integrity ensures that data processing is accurate, complete, timely, and authorized. This criterion is crucial for financial systems, payment processors, and any application where incorrect data processing causes real problems.
Controls include input validation to catch errors before data enters your system, error handling procedures, quality assurance processes, and reconciliation checks. Organizations that process transactions or perform calculations typically include this criterion.
Confidentiality
Confidentiality protects sensitive information beyond basic access controls. While security prevents unauthorized access, confidentiality specifically addresses how you protect proprietary data, trade secrets, and other sensitive business information once someone has legitimate access.
This criterion includes data classification policies, encryption for data in transit and at rest, secure transmission protocols, and information handling procedures. Organizations handling intellectual property or proprietary business data often include confidentiality.
Privacy
Privacy addresses how you collect, use, retain, disclose, and dispose of personal information. With regulations like GDPR and CCPA, privacy has become increasingly important for organizations handling user data.
Controls include consent management, data subject rights processes, retention policies, and procedures for deleting data when required. Organizations that handle personally identifiable information (PII) typically include privacy in their SOC 2 scope.
What’s the difference between SOC 2 Type I and Type II?
The main difference between Type I and Type II comes down to time. Type I checks whether your controls are designed properly at a single point in time. Type II tests whether those controls actually work over a sustained period.
Type I
A Type I report examines your controls at a specific date, usually the end of your audit preparation period. The auditor reviews your policies, tests your controls, and figures out whether they’re designed appropriately to meet the selected criteria.
Type I audits are faster and less expensive because they only require a point-in-time assessment. For organizations pursuing SOC 2 for the first time, Type I can serve as a validation checkpoint — confirming your controls are designed correctly before you invest six to 12 months collecting Type II evidence. This lets you catch and fix design flaws early rather than after a full observation period, when remediation means restarting the entire timeline. However, most enterprise customers view Type I reports as insufficient for vendor relationships because they don’t prove your controls work consistently over time.
Type II
A Type II report tests operating effectiveness over a defined observation period, typically three to 12 months. The auditor verifies that controls exist and samples activities throughout the period to confirm the controls worked consistently.
For example, if your policy requires quarterly access reviews, the auditor will check that you completed all quarterly reviews during the observation period, documented findings, and addressed any issues you discovered. Type II provides evidence of sustained compliance, not just a good snapshot. Enterprise buyers strongly prefer Type II reports because they show consistent security practices over time.
| Aspect | Type I | Type II |
|---|---|---|
| ⏰ Timeframe | Point-in-time snapshot on a specific date | 3–12 months of continuous observation |
| 🔍 What’s tested | Design of controls (are they appropriate?) | Operating effectiveness (do they work consistently?) |
| 📋 Evidence required | Policies, procedures, and configurations at audit date | Samples of control activities throughout observation period |
| ⏱️ Audit duration | 4–8 weeks for fieldwork | Observation period plus 4–8 weeks for fieldwork |
| 💰 Cost | Lower (less testing required) | Higher (sustained testing over time) |
| ✅ Customer acceptance | ⭐ Limited — mainly for initial readiness assessment |
⭐⭐⭐ Widely required by enterprise buyers |
| 📱 Mobile considerations | Same requirements for web and native mobile | Same requirements for web and native mobile — with Bubble, build web and native iOS/Android apps from a single platform with unified SOC 2 controls |
How to get SOC 2 compliance
Getting SOC 2 compliant follows a structured process from scoping through audit to ongoing maintenance. Most organizations spend four to six months preparing for their first Type I audit, then another six to 12 months collecting evidence for Type II.
Define scope and criteria
Start by figuring out which systems and data flows fall within your SOC 2 boundary. With Bubble’s visual workflows, you can see exactly how data moves through your app, making scoping waymore straightforward than code-based approaches. Your scope includes any system that stores, processes, or transmits customer data: Your production environment, databases, authentication systems, and third-party services that touch customer information.
Next, select which Trust Services Criteria to include based on what your customers need and your business model. Security is mandatory. Add availability if uptime matters to customers, processing integrity if you handle transactions or calculations, confidentiality if you manage proprietary information, and privacy if you collect personal data. Map your data flows to identify all thepoints where customer data enters, moves through, or exits your systems.
Gather policies and evidence
You’ll need core policies like information security policy, acceptable use policy, incident response procedures, change management process, and vendor management policy. These documents need to exist before the audit starts, and your team has to follow them consistently.
The evidence you’ll need depends on which controls you’re testing, but you’re typically looking at things like access review logs, vulnerability scan results, backup test documentation, incident response records, and vendor assessments. Bubble’s integrated security features help you continuously collect vulnerability evidence without juggling separate tools. Start collecting evidence the moment your observation period begins. You can’t backfill it later.
Key artifacts to prepare:
- Information security policy, acceptable use policy, incident response plan, disaster recovery procedures
- User provisioning tickets, quarterly access reviews, termination checklists, privilege escalation approvals
- Vulnerability scans, penetration test results, security patch logs, backup restoration tests
- Third-party risk assessments, vendor security questionnaires, contract reviews, vendor access termination records
Choose an independent CPA firm
Your auditor needs to be independent and experienced with SOC 2 examinations. Make sure they have relevant industry expertise: An auditor who understands SaaS infrastructure will run a more efficient audit than one who primarily audits manufacturing companies.
Request sample SOC 2 opinions and client references before selecting a firm. Ask about their approach to scoping, how they handle technical controls testing, and what level of support they provide during evidence collection.
Timeline and cost
You’re looking at two to four months from kickoff to getting your Type I report in hand, assuming you’ve already got your controls documented and running. For Type II, tack on another six to 12 months for the observation period before the auditor even starts their fieldwork.
Costsvary significantly based on your organization’s size, how complex your systems are, and how many criteria you’re tackling. What drives the price tag: how many systems fall in scope, how gnarly your tech stack is, which Trust Services Criteria you pick, and whether you’re starting from scratch or already have controls documented. First-timers usually end up spending more on getting everything ready and fixing gaps the auditor finds.
Maintain, renew, and bridge letters
SOC 2 compliance requires continuous effort, not just annual audit sprints. Bubble’s visual privacy rules and integrated security features help you maintain and evidence controls year-round without diving into code. Keep your evidence collection processes running year-round, conduct internal control testing quarterly, and document changes to your control environment as they happen.
Annual report renewals keep your SOC 2 current for customers. Plan for a new audit to begin two to three months before your current report expires so you don’t end up with gaps in coverage. While not part of the official AICPA SOC 2 framework, some organizations provide supplementary documentation (often called bridge letters in industry practice) to cover the period between the report end date and the current date, which customers may use to verify that controls remained in place and no significant changes occurred since the audit wrapped up.
How to read and use SOC 2 reports
SOC 2 reports follow a standard structure, but you need to read them carefully to understand what they actually prove. Verizon’s 2025 DBIR found third-party involvement in breaches doubled to 30%, which makes vendor evaluation more critical than ever. Enterprise procurement teams often request these reports without really knowing how to interpret them effectively.
Check scope, TSC, and carve-outs
First things first: Verify that the report actually covers the systems that will handle your data. If you’re evaluating a vendor for their API service but their SOC 2 only covers their web application, that report doesn’t give you relevant assurance. When you’re evaluating Bubble as a vendor, our SOC 2 Type II compliance covers the entire platform infrastructure: hosting, database, security, and deployment.
Make sure the relevant Trust Services Criteria are included. If you need availability guarantees but the report only covers security, you’re missing critical information about uptime controls. Pay close attention to carve-outs and exclusions. Vendors sometimes exclude critical components from scope, and you need to catch that.
Review exceptions and remediation
Control exceptions are findings where controls didn’t operate as designed. Here’s what matters: Not all exceptions are created equal. Some indicate minor documentation gaps while others reveal significant security weaknesses.
Evaluate severity based on how the exception could actually impact your data. A missing signature on one change management ticket is less concerning, but evidence that unauthorized users accessed production systems is a red flag. Read management’s response to understand what caused the exception and how they fixed it.
Confirm period and bridge letter
Check the report dates carefully. The observation period shows when controls were tested. The report issuance date shows when the auditor completed their work. Both matter.
A report with an observation period ending 18 months ago doesn’t give you much assurance about current controls. Request supplementary documentation confirming that controls remained in place through today, or ask when the vendor’s next audit will wrap up. And understand opinion types — an unqualified opinion means the auditor found controls operating effectively with no material exceptions.
Verify auditor independence
Confirm that the auditing firm is a licensed CPA firm with actual SOC 2 examination experience. The opinion letter will include the auditor’s name and license information.
Check that the auditor is independent from the vendor. Independence rules prohibit auditors from designing the controls they audit or having financial interests in the company they’re examining. That’s a conflict of interest you want to avoid.
Conclusion: SOC 2 compliance brings structure to customer data protection
SOC 2 takes all those security practices you’ve been handling on the fly and turns them into something structured and auditable. Whether you’re going through your first audit or you’re the one evaluating vendors during procurement, understanding how this framework actually works helps you make smarter decisions about protecting data.
Start by nailing down your scope and collecting evidence as you go; don’t wait until the last minute. Find audit partners who actually get your tech stack. If your auditor understands visual development platforms like Bubble, they can move through your controls way faster since everything’s visible in workflows and privacy rules instead of buried somewhere in thousands of lines of code. Once you’ve got your controls documented and testable, audits stop feeling like emergencies and start feeling like routine checkups.
Bubble gives you SOC 2 Type II infrastructure right out of the box: visual privacy rules, integrated security features, AI-powered privacy rule generation, the whole package. Our security features are constantly scanning for vulnerabilities, and when the Bubble AI Agent (beta) creates data types, it automatically generates privacy rules to lock down your database. You get enterprise-grade security baked into your foundation, so you can focus on building your product’s unique workflows and business logic. Everything’s visual, everything’s understandable, no code required. Get started with Bubble today.
Frequently asked questions
Is SOC 2 a certification or an independent attestation?
SOC 2 is an independent attestation report issued by licensed CPA firms, not a formal certification like ISO standards. The distinction matters. Certifications involve achieving a standard, while attestations verify that specific controls met defined criteria during the examination period.
Is SOC 2 compliance mandatory for service organizations?
SOC 2 is voluntary — no law requires it. However, enterprise customers increasingly treat current SOC 2 Type II reports as mandatory for any service organization handling their data, making it effectively required for B2B SaaS companies pursuing enterprise contracts.
How long does a SOC 2 Type II report remain valid?
Most enterprise buyers expect fresh annual reports. While reports don’t technically “expire,” customers typically want reports with observation periods ending within the past 12 months plus supplementary documentation confirming controls remained in place through the current date.
What’s the difference between SOC 2 and ISO 27001 compliance?
SOC 2 is an attestation examining specific controls over a defined period, while ISO 27001 is a certifiable management system standard for ongoing information security. SOC 2 reports are shared with customers to demonstrate controls, while ISO 27001 certification proves you maintain a security management system.
Does SOC 2 cover AI systems and third-party service providers?
Yes. If AI systems or third-party vendors process customer data, they fall within SOC 2 scope and require appropriate controls. This includes AI model providers, cloud infrastructure, payment processors, and any other service touching data within your control boundary. When you use the Bubble AI Agent to build features, the Agent operates within Bubble’s SOC 2 Type II compliant infrastructure and automatically generates privacy rules for data types it creates.
Build for as long as you want on the Free plan. Only upgrade when you're ready to launch.
Join Bubble
