SOC 2
Also: SOC 2 Type II, System and Organization Controls 2
SOC 2 is an independent audit report, issued by an outside CPA firm rather than the vendor itself, confirming that a company's security, availability and confidentiality controls actually work as claimed over a period of time.
SOC 2 (System and Organization Controls 2) is an auditing standard from the American Institute of CPAs. A vendor doesn't 'pass' SOC 2 once; an independent auditor examines its controls against the relevant Trust Services Criteria (security is mandatory; availability, confidentiality, processing integrity and privacy are optional add-ons) and issues a report. The result isn't public certification like a badge; it is a private report the vendor shares under NDA, usually via a trust-center portal.
Type I versus Type II
Two report types matter for buyers. A Type I report checks whether controls are designed correctly at a single point in time. A Type II report, the one worth asking for, checks whether those controls actually operated effectively over an observation window, typically six or twelve months. Type II is meaningfully stronger evidence than Type I, because it is evidence of sustained practice, not a one-day snapshot.
What SOC 2 doesn't cover
For AI tools, SOC 2 doesn't say anything directly about whether the vendor trains on your data or will sign a BAA; those are separate, specific questions. What it does say is that an outside party has verified the vendor has real security operations: access controls, monitoring, incident response, change management. Treat it as a baseline hygiene signal, not a complete answer to 'is this tool safe for our data.'
Who holds one
Most major AI vendors, OpenAI, Anthropic, Google, Microsoft, GitHub, Grammarly, Notion, Zoom, Otter.ai, Cursor and Perplexity among them, hold a SOC 2 Type II report. A handful of consumer-first tools, like Midjourney, do not publicly document one; that gap is itself useful information when you are comparing options. ModelCharter's SOC 2 compliance hub and the AI Tool Risk Directory record each tool's SOC 2 status.