Attestation · trust services criteria

SOC 2

SOC 2 is an attestation against the AICPA Trust Services Criteria. It is the report North American enterprise customers ask for, and it is issued by a CPA firm.

Book a scoping call All frameworks

Who it applies to

▸SaaS and service providers, especially those selling to US enterprises

▸Vendors blocked in procurement without a report

▸Teams choosing between Type 1 and Type 2

What it requires

The obligations, in plain terms.

Trust Services Criteria

Controls mapped to security, and optionally availability, confidentiality, processing integrity, and privacy.

Type 1 or Type 2

A point-in-time design opinion (Type 1) or an operating-effectiveness opinion over a period (Type 2).

Evidence

Continuous evidence that the controls operate as described.

CPA audit

An independent CPA firm performs the examination and issues the report.

How Raptoric helps

We do the engineering work, not just the paperwork.

Readiness assessment

We find the gaps before the auditor does and scope the right criteria.

Control build-out

We implement the technical and process controls the report depends on.

Evidence

We help set up the evidence collection that makes Type 2 sustainable.

Audit support

We work alongside your CPA firm through the examination.

We get you report-ready and validate the controls. The report itself is issued by an independent CPA firm.

Services that deliver it

Security Program & Risk→Application & Cloud Security→Threat Detection & Response→

FAQ

Questions, answered

What is a SOC 2 report?

An attestation that you have security controls and follow them, valued by customers evaluating you as a vendor. Type I is point-in-time; Type II covers a period.

Does passing SOC 2 mean we are secure?

It means an auditor confirmed your controls exist and operate. It does not mean an attacker cannot get in. We build for security first, so the report reflects real defense.

How do you help with SOC 2?

We map your controls to the Trust Services Criteria, close the gaps, and produce the evidence, then your auditor runs the attestation.

SOC 2 or ISO 27001 first?

It depends on your market. SOC 2 is common for North American buyers; ISO 27001 for EU and global. We help you choose and avoid duplicate work.

Need to be ready for SOC 2?

A senior engineer will scope the work with you on a 30-minute call.

Book a scoping call or email contact@raptoric.com