When your enterprise prospect’s procurement team says they need your SOC 2, they mean Type II. If you send them a Type I report, they’ll ask again.
This distinction trips up a lot of founders, especially early in the process. Understanding it clearly will save you months, because the path to each is different, and starting with the wrong one means starting over.
The actual difference, plainly
SOC 2 is an audit framework developed by the AICPA. It assesses whether your security controls meet the Trust Services Criteria: standards covering security, availability, processing integrity, confidentiality, and privacy.
An auditor reviews your controls on a specific date and confirms they are ‘suitably designed.’ It says your controls exist and look right.
The auditor tests whether your controls actually operated effectively throughout the period. Evidence must show they ran continuously, not just that they were set up correctly for the day of the audit.
Enterprise companies require Type II because they’ve learned that Type I doesn’t tell them much. Anyone can stand up controls for a day. The question is whether those controls run 24/7 for months without failing. Only a Type II report answers that.
Why the six-month minimum matters more than people realise
The observation period is the window during which your controls run and evidence collects. It begins when you have all required controls operating simultaneously, not when you engage an auditor.
The moment to start SOC 2 is when you hire your first enterprise AE, not when you receive the first enterprise questionnaire. Enterprise prospects appear within 60-90 days of that hire. The questionnaire appears within 30 days of the first serious conversation. You need to already be running.
Which Trust Services Criteria do you actually need
Every SOC 2 engagement includes the Security criteria. The other four are optional depending on what your product does.
| Criteria | Required | When to add it |
|---|---|---|
| Security | Always | Every SOC 2 engagement includes this |
| Availability | Optional | If you have uptime SLA commitments |
| Confidentiality | Optional | If you handle data with explicit confidentiality obligations |
| Processing Integrity | Optional | If your product processes financial or critical transactions |
| Privacy | Optional | If you collect and use personal information from individuals |
One practical note: adding more criteria increases audit scope and cost, but the incremental work is smaller than you’d expect because most of the underlying controls overlap. If you think you’ll need Confidentiality in future deals, build for it from the start rather than adding it to a subsequent audit.
What to do if you only have a Type I when they ask for Type II
Some enterprise buyers, particularly at earlier-stage companies or in situations with longer procurement timelines, will accept a Type I report combined with a specific, committed Type II delivery date.
If you’re in this situation, the conversation needs to be specific. ‘We’ll have our Type II report by October’ is much more credible than ‘we’re working on it.’ Better still: ‘Our Type II observation period runs through August, we’ve engaged [auditor name], and we expect the report in November.’ That gives them something concrete to work with.
Large, mature enterprise companies with strict vendor risk programs typically won’t budge. They’ll require the Type II before contract signature. Smaller or faster-moving enterprise buyers often will. Know your buyer.
The ongoing requirement after your first audit
SOC 2 isn’t a one-time achievement. It’s an annual program. Your Type II report covers a specific observation period and eventually expires in the sense that prospects start asking for a report that covers the current year.
The infrastructure matters more than the compliance tool. A compliance platform helps you collect evidence and manage audits. But the audit evidence is only as good as the security infrastructure generating it. Get the infrastructure right first. The compliance program follows from that.
Getting the security infrastructure in place so your SOC 2 observation period generates meaningful evidence from day one is where Osto starts with most teams, before the compliance documentation, before the audit.