:PROPERTIES: :ID: auto-soc2 :CREATED: [2026-05-23 Sat] :END: #+title: SOC 2 (System and Organization Controls 2) #+filetags: :passepartout:compliance:framework:soc2: * SOC 2 (System and Organization Controls 2) ** What it is An auditing standard developed by AICPA (American Institute of CPAs). Not a law. Certifies that a service organization's controls over security, availability, processing integrity, confidentiality, and privacy meet defined criteria. Five Trust Service Criteria (TSC): - **Security** (mandatory): protection against unauthorized access (firewall, access control, intrusion detection) - **Availability** (optional): system available for operation and use as committed (uptime, redundancy, disaster recovery) - **Processing Integrity** (optional): system processing is complete, valid, accurate, timely, and authorized - **Confidentiality** (optional): information designated as confidential is protected as committed - **Privacy** (optional): personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments Two types: - **Type I:** controls are suitably designed at a specific point in time - **Type II:** controls operated effectively over a period (6-12 months) ** Who must comply Any SaaS or cloud service provider whose enterprise customers require audited vendors. Table stakes for B2B — most enterprise procurement contracts require SOC 2 Type II. ** Penalties No direct fines (not a law). But losing SOC 2 certification means losing enterprise customers. Misrepresentation of certification status is fraud. ** Why it matters for the triad SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger [[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure.