SOC 2
Also known as: SOC 2 Type II, System and Organization Controls 2
Definition
SOC 2 is an independent attestation of controls against the AICPA Trust Services Criteria. For technology companies, SOC 2 affects enterprise sales, customer trust, security maturity, and buyer diligence. The operating risk is not the report itself but whether the underlying controls are real, repeatable, and maintained.
SOC 2 should reduce sales friction, not create compliance theater. Buyers and enterprise customers care whether access control, change management, incident response, vendor management, and evidence collection actually operate.
In post-acquisition work, SOC 2 gaps often reveal deeper issues: unmanaged identities, weak deployment controls, undocumented systems, and unclear ownership of security decisions.
Related terms
- DORA Metrics — Four software-delivery metrics: deployment frequency, lead time for changes, change failure rate, and time to restore service.
- IP Assignment — The legal transfer of intellectual property rights from employees, contractors, founders, or third parties to the operating company.
- Technical Debt — The cumulative cost of architectural, platform, testing, and operational shortcuts in software systems — convertible to dollar EBITDA drag and exit-multiple turns.
Where this gets applied
- Exit Readiness — Pre-LOI cleanup. Financial reporting normalization, contract hygiene, IP assignment review, customer-concentration mitigation.
- Technical Debt — Quantification in dollars, not adjectives. Then a remediation plan that runs in parallel with delivery.
- Compliance & Security — SOC 2, CMMC, FedRAMP, security baselines for post-acquisition standardization.