Resource · Glossary

    What Is SOC 2 Compliance?

    SOC 2 is how service organizations prove their controls actually work — an independent auditor's attestation against the Trust Services Criteria. For anyone selling to enterprises, it's less a badge than a gate: no report, no deal. And passing it is, above all, an evidence problem.

    The Shape

    What SOC 2 Actually Tests

    Trust criteria

    Security always; availability, integrity, confidentiality, privacy as scoped.

    Type I vs II

    Designed right (a moment) vs operated right (6–12 months of proof).

    Evidence

    Access reviews, change logs, alerts and responses, incident records.

    Infrastructure

    Availability and physical-control evidence for the estate underneath.

    The Practical Truth

    Audits Are Won in the Evidence, Not the Meeting

    Type II turns compliance from a document review into a data problem: months of proof that monitoring ran, alerts were handled, changes were recorded, and availability held. Teams that assemble this by hand lose weeks per audit cycle; teams whose operations platform records it continuously export it. For the infrastructure layer, that's Sensaka's contribution — uptime and alert-response history, hardware and configuration change records, access audit trails for the management plane — generated as a by-product of simply running the estate. In one deployment, audit exceptions went from 31% to zero once records came from the hardware instead of the spreadsheet.

    Availability history on demand
    Alert → response trails preserved
    Change records from the hardware
    Management-plane access logged
    Evidence as export, not project
    FAQ

    Common Questions About SOC 2

    What is SOC 2 compliance?

    SOC 2 is an attestation (from the AICPA) that a service organization's controls meet the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. It's the report enterprise customers ask vendors for.

    What is the difference between SOC 2 Type I and Type II?

    Type I assesses whether controls are designed properly at a point in time; Type II tests whether they operated effectively over a period (usually 6–12 months). Customers increasingly expect Type II.

    What does a SOC 2 audit involve?

    An independent auditor examines your controls and the evidence they ran: access reviews, change records, monitoring alerts and responses, incident tickets, availability data. The audit is largely an evidence-collection exercise.

    How does infrastructure monitoring support SOC 2?

    The availability and security criteria demand proof: uptime records, alert-and-response trails, change tracking, access logs — including physical infrastructure. Monitoring platforms generate this evidence continuously instead of during a pre-audit scramble.

    Make the next audit an export