Looking for DD services or software?Beyond M&A →Lens →
The Guide to Tech DD

Definition

SOC 2

AICPA audit framework attesting to the design (Type I) and operating effectiveness (Type II) of security controls.

SOC 2 Type II — covering a 6–12 month observation window — is the de facto enterprise-sales prerequisite for SaaS. Diligence reviews the most recent report for scope (which Trust Services Criteria are in scope), exceptions, and the management response. Absence of SOC 2 is not disqualifying but compresses the addressable enterprise market.

See also