VDR glossary · Compliance

SOC 2

An AICPA audit report on how a provider handles the security, availability, and confidentiality of customer data.

SOC 2 (System and Organization Controls 2) is an independent audit, performed by a licensed CPA firm against criteria set by the American Institute of Certified Public Accountants (AICPA), that examines how a service provider protects customer data. Rather than checking a fixed list of technical settings, it evaluates the controls a company actually operates against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. For a virtual data room, a SOC 2 report is third-party evidence that the vendor holding your most sensitive deal documents runs the access, encryption, monitoring, and incident processes it claims to. The report itself is a detailed document written by the auditor, not a logo or a one-line badge, and that distinction matters when you evaluate providers.

SOC 2 Type I versus Type IIType I audits the design of controls at a single point in time; Type II audits how those same controls operated across a period of six to twelve months.SOC 2 Type I vs Type IIType IControls designed correctlya single point in timeType IIControls operated effectivelyacross 6 to 12 months of evidence

How does SOC 2 work in a virtual data room?

A SOC 2 engagement starts with the provider defining which of its systems are in scope and which Trust Services Criteria apply. Security is always mandatory; the other four are added when relevant. The auditor then gathers evidence: policy documents, screenshots, ticket histories, and samples of real events such as onboarding and offboarding staff, patch cycles, and access reviews. For a data room, the controls under examination map directly to features you use every day. The audit confirms that access controls actually restrict who can open a folder, that the audit trail records activity in a tamper-evident way, and that encryption keys are managed properly. The result is a report a prospective customer’s security team can request and read in full.

Why does SOC 2 matter for M&A and due diligence?

In a merger or acquisition, both sides are handing confidential financials, contracts, and IP to a third-party platform, so the buyer’s counsel and the target’s board want proof that the platform is trustworthy. A current SOC 2 Type II report answers that question with independent evidence, which is why security questionnaires in due diligence so often ask for it by name. According to Vanta’s 2025 State of Trust report, 64% of organizations say a lack of security certifications like SOC 2 has cost them a deal. For the data room itself, the report shortens vendor review: instead of arguing that the platform is secure, the vendor points to an auditor who already tested it. It sits alongside ISO 27001 as one of the two credentials buyers look for first when they assess whether virtual data rooms are secure.

SOC 2 Type I vs Type II

The single most common point of confusion is the two report types. They are not interchangeable, and a Type II carries far more weight.

AspectType IType II
What it testsWhether controls are designed correctlyWhether controls operated effectively
Time frameA single dateA period, usually 6 to 12 months
Evidence depthPoint-in-time snapshotSampled events across the window
Buyer confidenceBaselineStrong, preferred in diligence

A Type I says the right controls exist on paper on one day. A Type II says those controls actually worked, day after day, for months. When a data room advertises “SOC 2”, it should be a Type II with a recent audit window.

A concrete example

Imagine a private equity firm running diligence on a target that stores its documents in a data room. The firm’s IT security lead requests the provider’s SOC 2 report under NDA. The report shows a Type II audit covering the prior 12 months, with the auditor noting that access reviews were performed quarterly and that no exceptions were found for the encryption and logging controls. That single document lets the security lead sign off in an afternoon rather than sending a 200-question survey. Compare providers head to head on our comparison page and read individual provider reviews to see which report types each vendor publishes.

How to evaluate a SOC 2 report and avoid common mistakes

  • Check the report type and date. A SOC 2 Type I from three years ago tells you little. Look for a recent Type II.
  • Read the scope. Confirm the audited systems actually include the data room product, not just corporate IT.
  • Look for exceptions. Auditors list deviations. A clean report with zero exceptions is stronger than one with unaddressed findings.
  • Do not treat the badge as the report. A “SOC 2 compliant” logo on a marketing page is not evidence; the report is. There is no such thing as being “SOC 2 certified” the way you are ISO 27001 certified.

For a fuller walkthrough of the credentials worth checking, see our guide to VDR security features and the overview of data room certifications.

FAQ

Is SOC 2 a certification? No. SOC 2 is an attestation report written by an auditor, not a pass or fail certificate. A provider cannot be “SOC 2 certified”; it can hold a current SOC 2 report. ISO 27001, by contrast, is a formal certification.

How often is a SOC 2 report renewed? Type II reports typically cover a rolling 6 to 12 month window and are refreshed annually, so a trustworthy provider will have a report whose period ends within the last year.

Does SOC 2 cover privacy and GDPR? Only if the provider elected the privacy and confidentiality criteria in scope. Security is always included, but privacy is optional, so read the report to confirm which criteria the audit actually tested.