Glossary
What Is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing report produced under AICPA standards that attests to a service organisation's controls over five trust services criteria: security, availability, processing integrity, confidentiality, and privacy. It's the de-facto B2B SaaS trust report in North America and is increasingly requested by European buyers procuring from US-headquartered vendors.
Type I vs Type II
Type I attests to controls at a point in time (a snapshot). Type II attests to controls over a period (usually 6-12 months) — auditors test that controls operated effectively across that window. Type II is what enterprise procurement asks for; Type I is the bridge while you build evidence for the first Type II.
Where penetration testing fits
SOC 2 doesn't require pentesting by name. The Security trust criterion includes controls like CC6.1 (logical and physical access) and CC7.1 (system operations); auditors typically accept pentest reports as evidence supporting these. In the supplemental Privacy and Confidentiality categories, ongoing vulnerability assessment is also commonly evidenced by pentest cadence.
SQUR and SOC 2
SQUR pentest reports include the SOC 2 control-mapping table (which Common Criteria control the finding affects). For SaaS companies pursuing SOC 2 Type II, regular SQUR scans provide the contemporaneous evidence auditors need for the "during the period" testing requirement.
Frequently asked questions
Is SOC 2 European-recognised?
Yes, but not as a substitute for EU-specific certifications. European enterprise buyers increasingly accept SOC 2 Type II as a baseline (especially for SaaS), but regulated sectors (banking under DORA, critical infrastructure under NIS2) need their own specific evidence on top.
How long does SOC 2 Type II take?
Typically 9-15 months end-to-end for first-time. Readiness assessment (1-2 months) → control implementation (3-6 months) → observation period (6-12 months) → audit fieldwork (1-2 months) → report. Many SaaS companies start with Type I after 2-3 months to have something to show enterprise prospects while building toward Type II.