SOC 2 Type 2: what enterprise buyers should actually ask for
A field guide for procurement teams reviewing SOC 2 reports. Not all attestations are equal.
Somewhere along the way, “SOC 2 certified” became a checkbox. A vendor puts the badge on their website, procurement ticks the row in the spreadsheet, and everyone moves on. The problem is that “SOC 2 certified” isn’t actually a thing — and the badge tells you almost nothing about what was examined, for how long, or what the auditor found.
SOC 2 is an attestation, not a certification: an independent auditor’s report, produced under the AICPA’s attestation standards, on a vendor’s controls against the Trust Services Criteria. Two vendors can both “have SOC 2” and offer wildly different levels of assurance. The difference lives in the report — which is exactly why you should ask for it, and know how to read it.
Type 1 tells you the controls exist. Type 2 tells you they ran.
A Type 1 report is a photograph: the auditor confirms that, on one specific date, controls were suitably designed. A Type 2 report is a film: the auditor tests whether those controls actually operated, over a period — typically six to twelve months.
The gap between the two is the gap between “we wrote the policy” and “we followed it for a year, and someone checked.” If a vendor leads with Type 1, ask when their Type 2 period ends. And for any Type 2, check the period itself: a report covering three months is materially weaker than one covering twelve, and a report whose period ended eighteen months ago is a historical document. For the gap between the report’s end date and today, ask for a bridge letter.
Scope is where the sleight of hand happens
The most important page of a SOC 2 report isn’t the opinion — it’s the system description. Three scope questions do most of the work:
- Which system? The attestation covers a named system, not the company. A vendor can scope their marketing website or a legacy product and still, truthfully, “have SOC 2.” Confirm the scoped system is the product you’re actually buying.
- Which criteria? Only Security (the common criteria) is mandatory. Availability, Confidentiality, Processing Integrity and Privacy are optional add-ons. If your data’s confidentiality matters — and in telecom expense data, contract rates and inventory, it does — check that Confidentiality is in scope, not just Security.
- What’s carved out? Most SaaS vendors run on cloud infrastructure and use the “carve-out” method: the hyperscaler’s controls are excluded from testing and relied upon separately. Reasonable — but the report will also list complementary user entity controls: things you are assumed to be doing, like managing your own user access. Someone on your side should actually read that list.
Read the exceptions before the opinion
An unqualified (“clean”) opinion is the headline, but the substance is in the test results. Auditors record exceptions — controls that didn’t operate as described — even in clean reports. A handful of minor exceptions with credible management responses is normal and, frankly, more believable than a spotless report. What you’re looking for is the pattern: exceptions clustered around access control or change management are a different conversation than a missed log review.
A vendor’s willingness to walk you through their exceptions page tells you more about their security culture than the badge on their website ever will.
The questions, in one list
- Type 1 or Type 2 — and what period does the Type 2 cover?
- Is the scoped system the product we’re buying?
- Which Trust Services Criteria are in scope beyond Security?
- Which subservice organisations are carved out, and what are we assumed to control ourselves?
- Were there exceptions, and what were the management responses?
- Can we have the report under NDA, and a bridge letter for the period since it closed?
If a vendor can’t — or won’t — answer those six, the badge was doing a lot of work.
Where Veroxos stands, since you should ask us too
Fair’s fair: Veroxos operates under StableLogic’s ISO 27001-certified information security management system, and our SOC 2 Type 2 audit is in progress, expected FY28. Until the report exists we won’t claim it — you’ll notice it’s marked “audit in progress” everywhere on this site. In the meantime, we’ll answer every question on the list above under NDA, and our AI Governance Paper publishes the audit-log architecture and human-in-the-loop design most questionnaires ask about — ungated, no form.
Evaluating TEM platforms this year? Put your security questionnaire — and your own numbers — in front of us in a 30-minute demo.
