What is SOC-2?

SOC-2 is an assurance framework created by the American Institute of CPAs (AICPA) that helps organizations design, implement and operate controls to meet security, availability, processing integrity, confidentiality and privacy objectives.

The SOC-2 framework is based on five trust principles:

  • Security: The system is protected against unauthorized access, both physical and logical.
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing integrity: System processing is complete, accurate, timely, and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.

SOC-2 compliance aims at:

  • Demonstrating commitment to security and privacy
  • Meeting security and compliance requirements
  • Reducing risk
  • Avoiding fines and penalties
  • Gaining customer confidence
  • Gaining partner confidence


What is the difference between a SOC-1 and SOC-2 report?

A SOC-1 report is a report that an organization can order to validate their controls over financial reporting. A SOC-1 report is also commonly referred to as an SSAE-16 (pronounced “essay-16”) report. A SOC-1 report is the most basic type of SOC report and is designed for organizations that are concerned with internal financial reporting.

A SOC-2 report is a report that an organization can order to validate their controls over systems that are used to process data. The SOC-2 report is an independent evaluation of the controls implemented to protect your clients (and their data) from a security, availability, processing integrity, confidentiality, and privacy perspective.

Download additional compliance reports from the Exoscale compliance center.


Contact our Compliance Team

A doubt? Unsure if we comply to a specific regulation not listed here?

Contact our Compliance Team and let us know your requirements. It may be covered by other certifications or regulations we comply to.