SOC 2 is the audit standard, published by the American Institute of Certified Public Accountants, that certifies a service organization's controls over five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. For SaaS vendors selling into US enterprise procurement, a SOC 2 Type II report is effectively table stakes.
There are two report types. Type I assesses whether the controls are designed appropriately at a point in time. It is faster and cheaper to obtain but is generally not what enterprise procurement asks for. Type II assesses whether the controls operated effectively over a period (typically 6 to 12 months). It is the report that procurement reviewers actually want to see, and the one that takes a real engagement with an auditor to produce.
A SOC 2 Type II report is not a public document. Vendors share it under NDA, typically through a trust center portal. The report contains the auditor's opinion, the description of the system, the controls tested, and any exceptions. Procurement reviewers read the exceptions section first, because that is where the real signal is.
For AI and SaaS vendors, the related question is whether to add the privacy criterion (TSC P) or stick with security alone (TSC CC). Most enterprise B2B SaaS vendors include security at minimum and add availability if they sell uptime as part of the value proposition. Privacy is added when the vendor processes a lot of personal data and wants the audit to validate its privacy controls in addition to GDPR-aligned drafting in the DPA. ISO/IEC 42001 is the parallel standard for AI management; many vendors are now pursuing both.