← All guides
SOC 28 min read13 May 2026

SOC 2 Type 1 vs Type 2: What SaaS Founders Actually Need

SOC 2 Type 1 proves your controls exist on a single day. Type 2 proves they worked over 6–12 months. Here's when you need each, what the audit looks like, and how to get there without breaking the bank.

The one-sentence difference

SOC 2 Type 1 is a point-in-time audit — your auditor looks at your controls on a specific date and confirms they are designed correctly. SOC 2 Type 2 is a period-in-time audit — your auditor reviews whether those controls actually operated effectively over a period (usually 6 or 12 months). Type 2 is what enterprise customers actually want when they say "do you have SOC 2?".

What SOC 2 is (and isn't)

SOC 2 is a voluntary auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It is not a certification in the ISO 27001 sense — it is an attestation report issued by a licensed CPA firm. The report assesses how your organization handles data across up to five Trust Service Criteria (TSC):

  • Security (Common Criteria, CC): the only mandatory criterion. Covers logical access, network security, change management, monitoring, and incident response.
  • Availability: system uptime; relevant if you have SLA commitments.
  • Processing Integrity: data is processed completely, accurately, and on time. Relevant for fintech, payroll, healthcare data processing.
  • Confidentiality: protection of information designated as confidential. Common for B2B SaaS handling sensitive business data.
  • Privacy: personal information collection, use, retention, and disposal per AICPA privacy principles.

Most early-stage SaaS companies start with Security only (CC controls). Adding Availability and Confidentiality is common for B2B enterprise. Privacy is usually addressed via GDPR/CCPA compliance instead.

SOC 2 Type 1: design, not operation

A Type 1 report answers: "As of [audit date], were this company's controls designed appropriately to meet the Trust Service Criteria?"

The auditor reviews your policies, procedures, and system descriptions. They check that controls exist. They do not verify that the controls were consistently followed over time.

What Type 1 requires

  • A complete System Description (written by management, describing your product, infrastructure, and boundaries)
  • Documented policies: information security policy, access control policy, incident response plan, change management procedure, vendor management policy
  • Evidence of control design: org chart showing security responsibilities, architecture diagram, list of tools used for logging/monitoring, etc.
  • Management's assertion that the description is accurate and controls are suitably designed

Timeline and cost

Type 1 is faster to obtain. If you have your documentation in order, a Type 1 audit takes 4–8 weeks and costs roughly $10,000–$20,000 with a mid-tier CPA firm. Some compliance platforms (Vanta, Drata, Sprinto, Secureframe) can compress this further by automating evidence collection.

SOC 2 Type 2: operation over time

A Type 2 report answers: "Over [audit period], did this company's controls operate effectively?"

The auditor tests your controls throughout the period — not just whether they existed, but whether they were actually followed. Did access reviews happen quarterly as your policy says? Were background checks run for new hires? Were patches applied within your SLA? Did you review security logs?

The observation period

The minimum observation period is typically 6 months; most enterprise customers want 12 months. This means you cannot shortcut to a Type 2 — you need to implement controls, run them consistently, and then have them audited after the observation period ends.

What Type 2 requires (in addition to Type 1 requirements)

  • Consistent operation of controls throughout the period (not just at audit time)
  • Evidence of ongoing operation: access review logs, patch history, incident tickets, security training completion records, vendor review meeting notes
  • A compliance platform or manual tracking process to gather evidence continuously
  • Defined control owners who perform and document controls on schedule

Timeline and cost

Plan for 9–18 months from "starting SOC 2 prep" to "Type 2 report in hand." Budget $15,000–$40,000 for the audit itself, plus tooling costs (Vanta/Drata: $10,000–$25,000/year; manual: free but time-intensive). Total cost of first Type 2: $25,000–$60,000 depending on company size and tooling choice.

Do you need Type 1 or Type 2?

SituationRecommendation
Mid-market prospect asking "do you have SOC 2?" during salesType 1 unblocks most deals. Get Type 1 first.
Enterprise (Fortune 500) legal/security reviewAlmost always requires Type 2. Type 1 may satisfy a short-term exception.
Early-stage raising Series A/BStart Type 2 observation period now. Investors increasingly ask.
Government or regulated-industry customer (healthcare, finance)Type 2 required. Often combined with HIPAA, FedRAMP, or SOX.
You have no security controls yetFix that first. Audit-readiness takes 3–6 months before you can start observation.

The 7 Common Criteria (CC) controls every SaaS must have

The Security TSC is organized around COSO principles and covers 9 control categories (CC1–CC9). The ones that trip up most early-stage SaaS companies:

  1. Logical access (CC6): MFA enforced on all production access, least-privilege role assignments, access reviews every 90 days, access revoked within 24h of termination.
  2. Change management (CC8): code review required before merge, staging environment separate from production, deploy approval process documented.
  3. Risk assessment (CC3): annual risk assessment documented; identified risks tracked.
  4. Vendor management (CC9): critical vendors assessed for security posture; sub-processor agreements in place.
  5. Incident response (CC7): written IR plan; incidents logged and reviewed; post-incident retrospectives for P1/P2 events.
  6. Monitoring (CC7): centralized logging (CloudWatch, Datadog, etc.); alerts for anomalous access; log retention ≥ 90 days.
  7. Background checks (CC1): criminal background checks for employees with production access (required in many jurisdictions).

Getting started: the practical path

  1. Scope your system. Define exactly what is in scope: which applications, infrastructure components, and data flows the SOC 2 report covers. Smaller scope = faster audit = lower cost.
  2. Gap assessment. Compare current controls against the CC criteria. Most auditors offer a free or low-cost readiness assessment. Alternatively, use a compliance platform's gap analysis tool.
  3. Implement controls. Fix the gaps. This is the real work. A lean team typically takes 2–4 months.
  4. Start the observation period. For Type 2, controls must operate consistently for the observation period before the audit starts.
  5. Engage an auditor. Get quotes from 3–5 CPA firms. Mid-tier firms (e.g., Schellman, A-LIGN, Johanson) are significantly cheaper than Big 4 and equally credible for most enterprise deals.
  6. Audit and report. The auditor issues a Type 1 or Type 2 report. You share it under NDA with prospects who ask.

Before SOC 2: get your legal docs right

SOC 2 auditors review your legal documentation as part of the System Description. Before you engage an auditor, make sure you have:

  • A privacy policy that accurately describes your data practices
  • Terms of service with security obligations and limitation of liability
  • A Data Processing Agreement (DPA) template for B2B customers
  • A vendor/sub-processor list with DPAs in place
  • An acceptable use policy

👉 Generate all your compliance documents free — Privacy Policy, Terms of Service, DPA, Cookie Policy, AUP, and more. SOC 2-ready in minutes.

👉 Read: SOC 2 Compliance for SaaS: the full guide

More guides