SOC 2 is a framework for evaluating a vendor's security controls across five trust services criteria, security, availability, processing integrity, confidentiality, and privacy. Type I attests to a single point in time. Type II attests to sustained operation over a window (usually six to twelve months).
Type II is the one that matters. Type I says the vendor had the right controls the day the auditor visited. Type II says they had them every day for six months. Procurement reviews at any serious enterprise require Type II; Type I is treated as in-progress.
The audit is performed by an independent CPA firm. The vendor receives a SOC 2 report, a long document with the auditor's findings, which they share with prospects under NDA. The right diligence question is 'when does your current Type II report cover?', not 'are you SOC 2 compliant?'
Vorel is SOC 2 Type II audited. The current report covers the trailing twelve months and is shared with prospects under NDA via the account team.

