SOC 2 Type II

Service Organization Controls

SOC 2 Type II Certification

SOC (Service Organization Controls) certifications are the internal data protection controls that are implemented at a third-party service organization. SOC certifications protect the systems or data that are being accessed by third-parties.

SOC 2 Type II reports are the most comprehensive SOC certifications. A company that has achieved SOC 2 Type II certification is taking a proactive approach and investing in keeping its clients’ data secure. For service providers working with cloud and IT services, this certification is critical for their regulators, examiners, and auditors.

The differences between SOC 1, SOC 2, and SOC 3 certifications are:
SOC 1 SOC 2 SOC 3
Reports on the service organization's controls related to its clients' financial reporting. Reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards. Reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.
The differences between SOC 1, SOC 2, and SOC 3 certifications are:
SOC 1
Reports on the service organization's controls related to its clients' financial reporting.
SOC 2
Reports build on the financial reporting basis of SOC 1 and also require standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight. A SOC 2-certified service organization is appropriate for businesses whose regulators, auditors, compliance officers, business partners, and executives require documented standards.
SOC 3
Reports are a simplified version of SOC 2 reports, requiring less formalized documentation. SOC 3 reporting is appropriate for businesses with less regulatory oversight concerns.
The SOC 2 framework includes five key sections, forming a set of criteria called the Trust Services Principles. These include:
1 The security of the service provider's system
2 The processing integrity of this system
3 The availability of this system
4 The privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities
5 The confidentiality of the information that the service provider's system processes or maintains for user entities

Typically, an MSP will choose to be evaluated against the security, availability, and confidentiality categories. Data security is critical to the livelihood of MSPs, and taking a proactive approach with critical controls is a huge differentiator from competitors.

Achieving SOC 2 Type II compliance takes a dedicated compliance team, regular audits, and engaging an independent third party to produce bi-annual reviews. The costs can easily reach hundreds of thousands of dollars.

Tehama’s SOC 2 Type II controls are audited on Security, Availability and Confidentiality

Tehama has 107 controls built into the platform, making SOC 2 Type II compliance a lot easier and affordable for an MSP or Service Provider.