AICPA standard, used globally as a de-facto trust baseline.

SOC 2

SOC 2 (Service Organization Control 2)

Applies to

SaaS and cloud-hosted services selling into enterprise. Not legally required — required by your customers in their procurement process.

Creates urgency when

An enterprise prospect asks for the report during procurement and the deal stalls until you can produce one. Compounding when the report has gaps.

Evidence burden

Continuous-controls evidence across security, availability, processing integrity, confidentiality, and privacy. Annual audit; evidence collected continuously.

Buying-committee effect

Brings legal, customer security review, and the GRC lead into deals that previously involved only the technical buyer.

GTM angle

The earliest serious compliance trigger for a SaaS company. Sold as "your enterprise customers will not buy from you without this." The market is mature; the buyer is comparing automation depth, not asking whether they need it.