Tagada
All termsComplianceIntermediateUpdated April 10, 2026

What Is SOC 2?

SOC 2 is an auditing framework developed by the AICPA that evaluates how service organizations manage customer data across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

Also known as: SOC 2 Type I, SOC 2 Type II, Service Organization Control 2, AICPA SOC 2

Key Takeaways

  • SOC 2 Type II — covering a 6–12 month observation period — is the standard enterprise buyers require, not Type I.
  • Only the Security (Common Criteria) category is mandatory; choose additional criteria based on your service commitments.
  • SOC 2 does not replace PCI DSS — payment companies handling card data need both frameworks.
  • Compliance automation tools can cut readiness time by 50% or more compared to fully manual evidence collection.
  • A current SOC 2 report is increasingly a hard requirement to close enterprise SaaS and fintech contracts.

How SOC 2 Works

SOC 2 audits are conducted by independent, licensed CPA firms accredited by the American Institute of Certified Public Accountants (AICPA). The process begins with a readiness assessment, moves through evidence collection, and concludes with the auditor issuing a formal report that customers and prospects can review under NDA.

01

Define Scope and Criteria

Identify which of the five Trust Service Criteria apply to your services. Security is always required. Payments and infrastructure platforms commonly add Availability and Confidentiality. Narrow scope lowers cost and audit complexity.

02

Readiness Assessment

A pre-audit gap analysis maps your current controls against the AICPA's Common Criteria. Gaps — missing access logs, no formal incident response plan, weak vendor management — are documented and remediated before the formal audit clock starts.

03

Implement and Document Controls

Controls must be operational and documented. This includes logical access management, encryption standards, change management procedures, monitoring and alerting, and business continuity plans. Evidence must be collectible and auditable.

04

Observation Period (Type II Only)

For a Type II report, the auditor observes your controls operating continuously for 6–12 months. During this window, any control failure — an unreviewed access log, a missed security patch — becomes a finding in the final report.

05

Audit Fieldwork and Reporting

The CPA firm reviews evidence, interviews personnel, and tests controls. The resulting SOC 2 report includes the auditor's opinion, a description of your system, and a list of any exceptions. Customers receive the report under a non-disclosure agreement.

06

Annual Renewal

SOC 2 reports are typically valid for 12 months. Enterprise contracts often require a current report at all times, meaning continuous compliance programs — not one-time efforts — are needed to retain and grow enterprise accounts.

Why SOC 2 Matters

SOC 2 has moved from a nice-to-have to a commercial necessity across the SaaS and fintech landscape. Procurement teams at mid-market and enterprise companies now include SOC 2 Type II as a standard vendor qualification gate, alongside PCI compliance and GDPR attestations.

The business stakes are real. According to Vanta's 2024 State of Trust report, 88% of enterprise buyers require a SOC 2 report before sharing sensitive data with a vendor, and deals that stall on compliance documentation take an average of 3x longer to close. Separately, Drata's research found that companies with a current SOC 2 report close enterprise deals 3–5 weeks faster on average than those without, because security review cycles are compressed when audit evidence is already packaged.

For payment platforms specifically, the combination of SOC 2 and other frameworks is increasingly table stakes. A data breach affecting a vendor without a SOC 2 program creates immediate liability questions for the enterprise customer — SOC 2 shifts the burden of proof before an incident occurs rather than after.

Auditor Independence

SOC 2 reports must be issued by a licensed CPA firm, not a vendor-supplied self-assessment. This is what distinguishes SOC 2 from questionnaire-based frameworks and gives enterprise procurement teams confidence in the results.

SOC 2 vs. ISO 27001

Both SOC 2 and ISO 27001 are widely recognized information security frameworks, but they serve different markets and operate under different governance structures.

DimensionSOC 2ISO 27001
Governing bodyAICPA (U.S.)ISO/IEC (international)
OutputAudit report (shared under NDA)Certification (publicly assertable)
ScopeFlexible Trust Service CriteriaFull ISMS required
Primary marketNorth AmericaEurope, Asia, global enterprise
Renewal cycleAnnual report3-year certification + annual surveillance
Mandatory controlsSecurity (Common Criteria) onlyAll 93 Annex A controls scoped
Cost benchmark$20K–$150K audit fee$15K–$100K certification cost
Time to first report8–16 months (Type II)6–18 months

For companies selling primarily into North American enterprise markets, SOC 2 Type II is usually the priority. Companies with European customers or global operations frequently pursue both frameworks — they share significant control overlap, so achieving one reduces the incremental effort for the other by 40–60%.

Types of SOC 2

Understanding the two report types prevents a common mistake where teams invest months of effort in a Type I report only to have enterprise buyers ask for Type II.

SOC 2 Type I examines whether a company's security controls are designed appropriately as of a specific date. It is a point-in-time snapshot. Type I is useful for early-stage companies that need to demonstrate baseline security posture to close an initial enterprise deal while a longer observation period is underway.

SOC 2 Type II examines whether those controls operated effectively over a defined period — typically 6 to 12 months. This is the report that enterprise procurement teams, security teams, and regulated industries require. It is significantly more demanding to achieve and significantly more credible as a trust signal.

Bridge Letters

When a SOC 2 Type II report is nearing expiration but the new audit period has not closed, auditors can issue a bridge letter or management assertion to cover the gap period. Buyers may accept this to avoid stalling a deal.

Best Practices

For Merchants

When evaluating payment vendors or SaaS partners, treat SOC 2 reports as baseline procurement hygiene rather than a differentiator. Request the full report — not just a summary — and review the auditor's exceptions section carefully. A report with zero exceptions is ideal; a report with exceptions that have been remediated and documented is acceptable. An unqualified opinion from a reputable CPA firm matters more than a clean-looking summary page. Also confirm the report observation period is current: a report more than 12 months old provides limited assurance about today's controls.

For Developers

Build SOC 2 into your development lifecycle from day one rather than retrofitting controls onto a mature codebase. Use infrastructure-as-code and enforce it — auditors love configuration that is provably consistent. Instrument your systems with centralized logging from the start; log aggregation is required evidence for multiple Common Criteria controls and costs far more to retrofit than to implement early. Use a compliance automation platform (Vanta, Drata, Secureframe, Tugboat Logic) to continuously collect evidence rather than scrambling at audit time. Automate access reviews on a quarterly cadence — manual access review processes consistently generate audit findings.

Common Mistakes

Several recurring errors slow SOC 2 programs or generate audit findings that damage customer trust.

Treating SOC 2 as a one-time project. The audit cycle is annual. Organizations that treat compliance as a project rather than a continuous program find themselves scrambling every 10 months, generating findings, and losing the institutional knowledge needed to sustain controls.

Scoping too broadly. Including every system, product, and team in scope dramatically increases cost and audit risk. Define a tight, defensible scope boundary that covers the systems customers actually care about. Tighten scope on the first audit; expand it on renewals.

Ignoring vendor management. SOC 2 requires you to assess the security posture of your own sub-processors and vendors. Organizations that overlook vendor risk assessments receive findings even when their own controls are clean.

Poor evidence collection habits. Auditors need contemporaneous evidence — logs, screenshots, approval records — not retrospective documentation created the week before fieldwork. Teams that do not collect evidence continuously during the observation period cannot reconstruct it accurately.

Conflating SOC 2 with encryption alone. Security-focused teams sometimes over-invest in encryption while under-investing in access control, change management, and incident response. SOC 2 Common Criteria covers all of these areas; gaps in any one area generate findings.

SOC 2 and Tagada

Tagada is a payment orchestration platform that routes transactions across multiple processors, acquirers, and payment methods. When you connect your payment stack through Tagada, you inherit the platform's security controls for that integration layer — but SOC 2 compliance requires visibility into every sub-processor in the chain. Tagada's vendor documentation and security posture reports can be submitted directly as evidence in your SOC 2 vendor management review, reducing the evidence collection burden for that control domain. Ask your Tagada account team for the current security package when preparing for your next audit cycle.

Frequently Asked Questions

What is the difference between SOC 2 Type I and SOC 2 Type II?

SOC 2 Type I evaluates the design of a company's security controls at a single point in time — it is a snapshot. SOC 2 Type II goes further: it assesses whether those controls operated effectively over an observation period, typically 6 to 12 months. Enterprise buyers almost always require a Type II report because it demonstrates sustained, proven security practices rather than a one-time design review.

Is SOC 2 mandatory for payment companies?

SOC 2 is not legally mandated, but it has become a de facto commercial requirement for any B2B SaaS or payment platform selling to enterprise customers. Large retailers, banks, and regulated businesses will typically require a current SOC 2 Type II report before signing a vendor contract. Without it, deals stall or close with a competitor who has the report in hand.

How long does it take to get SOC 2 certified?

Type I audits typically take 2–4 months from readiness assessment to report issuance. Type II audits require an additional observation window of 6–12 months before the auditor can issue a report, making the total timeline 8–16 months for first-time recipients. Organizations that use compliance automation platforms can meaningfully compress the readiness phase.

Which Trust Service Criteria are required for SOC 2?

Only the Security criterion (also called the Common Criteria) is mandatory in every SOC 2 engagement. The remaining four — Availability, Processing Integrity, Confidentiality, and Privacy — are optional and selected based on the services the organization provides and what matters most to its customers. Payment platforms typically include Availability and Confidentiality alongside Security.

How much does a SOC 2 audit cost?

Audit fees vary widely depending on organization size and scope. Small startups typically pay $20,000–$50,000 for a Type II audit from a licensed CPA firm. Mid-market companies can expect $50,000–$150,000. Additional costs include internal preparation time, penetration testing, and compliance tooling subscriptions, which can add another $10,000–$50,000 to the total investment.

Does SOC 2 replace PCI DSS for payment companies?

No. SOC 2 and PCI DSS address different regulatory questions and neither replaces the other. PCI DSS is specifically mandated by card networks for any entity that stores, processes, or transmits cardholder data. SOC 2 is a voluntary trust framework covering broader information security. A payment platform handling card data typically needs both certifications to satisfy enterprise customers and card brand rules simultaneously.

Tagada Platform

SOC 2 — built into Tagada

See how Tagada handles soc 2 as part of its unified commerce infrastructure. One platform for payments, checkout, and growth.

Try Tagada freeDocumentation

Related Terms

Compliance

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS), specifying requirements to establish, implement, maintain, and continually improve an organization's information security posture.

Compliance

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that any business handling credit card data must follow. PCI compliance protects cardholder data and reduces the risk of data breaches.

Compliance

GDPR

The General Data Protection Regulation is an EU law that governs how organizations collect, store, and process personal data of EU residents. It imposes strict obligations on businesses worldwide and carries fines up to €20 million or 4% of global annual turnover.

Security

Encryption

Encryption converts readable data into an unreadable format using a cryptographic algorithm and key, so only authorized parties can decrypt and access the original information. It is the foundational security layer protecting payment data in transit and at rest.

Previous

Smart Routing

Next

Strong Customer Authentication (SCA)