Glossary

SOC 2 Type II

A security audit that examines whether a vendor maintains the security controls they claim, sustained over a period of months, not at a single point in time. The baseline trust signal for any SaaS in 2026.

SOC 2 is a framework for evaluating a vendor's security controls across five trust services criteria, security, availability, processing integrity, confidentiality, and privacy. Type I attests to a single point in time. Type II attests to sustained operation over a window (usually six to twelve months).

Type II is the one that matters. Type I says the vendor had the right controls the day the auditor visited. Type II says they had them every day for six months. Procurement reviews at any serious enterprise require Type II; Type I is treated as in-progress.

The audit is performed by an independent CPA firm. The vendor receives a SOC 2 report, a long document with the auditor's findings, which they share with prospects under NDA. The right diligence question is 'when does your current Type II report cover?', not 'are you SOC 2 compliant?'

How Vorel does this

Vorel is SOC 2 Type II audited. The current report covers the trailing twelve months and is shared with prospects under NDA via the account team.

The next call doesn’t have to go to voicemail.

Book a thirty-minute demo. We point Vorel at one of your real numbers on the same call.