SOC 2 (Service Organization Control 2)

SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants that evaluates the internal controls and processes of service organizations that store, process, or transmit customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.

SOC 2 audits assess whether service providers implement appropriate controls across five Trust Services Criteria. Security addresses protection against unauthorized access. Availability ensures systems are operational and accessible as committed. Processing integrity verifies systems process data completely, accurately, and timely. Confidentiality protects designated information. Privacy addresses collection, use, retention, and disposal of personal information in compliance with privacy commitments.

For crypto custodians, exchanges, payment processors, and wallet providers, SOC 2 Type II certification (which examines controls over a period, typically 6-12 months) has become an industry expectation demonstrating institutional-grade operational security. SOC 2 reports provide independent verification of security architecture, access controls, encryption practices, incident response procedures, and business continuity capabilities, addressing institutional investors' due diligence requirements before entrusting digital assets to service providers.