At Ontra, we are committed to maintaining our customers’ trust, which means following the highest security standards, including annual SOC 2 Type 2 audits. Our private markets customers maintain highly sensitive financial data and take due diligence of all service providers seriously. Annual SOC 2 audits provide our customers with ongoing assurance that Ontra is safeguarding their information.
One of the most common asks between B2B organizations during diligence is, “Are you SOC 2 certified?”
The question is understandable, but SOC 2 isn’t technically a certification. This blog post provides more detail on what SOC 2 is and a better way to ask your vendors — and AI providers — whether they’re compliant.
What is SOC?
System and Organization Controls (SOC) is a voluntary framework developed by the Association of International Certified Professional Accountants (AICPA) that audits how service providers, particularly tech and cloud companies, manage client and customer data.
What is SOC 1?
SOC 1 is an evaluation of an organization’s financial reporting controls. This report is relevant to organizations that provide services that impact their clients’ financial statements. The main purpose of a SOC 1 report is Sarbanes-Oxley compliance.
What is SOC 2?
SOC 2 refers to an audit or audit report that assesses a company’s people, processes, and technology against the AICPA’s System and Organization Controls, primarily for U.S.-based SaaS organizations. Essentially, when an organization says “We have a SOC 2,” it means they have had a SOC 2 audit performed and have received a report of the findings from that audit.
The full control list of SOC criteria is generally available on the AICPA’s website (with a free AICPA account) here.
What is SOC 3?
SOC 3 is a general-purpose overview of an organization’s controls without disclosing testing details. This report is intended for a public audience and marketing purposes, not for certification of any kind. Businesses can use it to build trust with the public, customers, and prospects.
Types of SOC audits
Both SOC 1 and SOC 2 audits can be one of two types:
Type 1 Audit: A “point in time” audit where an organization’s controls are only checked “at a specific point in time.” If you schedule the audit for June 30, the auditors will only ask you to show evidence of meeting the controls up to that date. You can supply evidence over nearly any period of time (but typically within a year) to show you are meeting the control.
Type 2 Audit: A check of an organization’s controls over a period of time, typically 12 months. When you schedule your audit, you set the duration. You must facilitate evidence showing you meet the controls during that “audit window.” Let’s say you reschedule the audit to start on June 30, but you choose a Type 2 with a 6-month audit window. Your auditors may now ask you for evidence that you are meeting the controls at any time between June 30 and December 30.
Who conducts SOC audits?
Only licensed certified public accountant (CPA) firms or practitioners accredited by the AICPA can perform SOC audits.
What is the SOC 2 audit process?
A company voluntarily reaches out to an auditing firm, typically a CPA, and asks the auditor to review its internal practices and technology to ensure that it aligns with the controls established by the AICPA.
SOC 2 auditors work with a company’s security and leadership team to systematically review each control and request evidence demonstrating that the company meets it. This is typically done via in-person or remote (video) interviews, during which evidence is provided via document uploads, screenshots, or live recordings.
Auditors compile all the evidence provided and compare it with the AICPA’s SOC 2 control language. They supply an “opinion” on whether the company does or doesn’t meet each control, or if there were any exceptions.
Auditors then issue a “SOC 2 Attestation Report” to the audited company, so it can provide the report to its customers as evidence of the company’s security.
What does a SOC 2 audit require?
SOC 2 Type 2 requires an organization to undergo an independent, in-depth audit. The audit reviews five Trust Service Criteria:
- Security
- Availability
- Confidentiality
- Processing Integrity
- Privacy
For example:
“Considers the Background of Individuals — The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.”
That is the language provided by the AICPA for organizations to implement and for auditors to validate. The language does not specify how to conduct background checks, does not state that they are required in all cases, and does not define the correct or incorrect way to perform them. It just says that the company “considers” them.
The control language is intentionally broad and generic, so it can apply to any company across a wide range of industries and organizational structures.
Using the example above, if a company says in a policy, “all employees or persons working for the company require a background check before working for the company.” The auditors will ask for evidence that the work is being done and that “Considers background checks of individuals” is being carried out.
But let’s say your policy says, “Only full-time direct employees must have background checks performed, but contractors do not.” Even though background checks aren’t performed on contractors, the control is still met, as background checks were “considered” even though they weren’t ultimately enforced for contractors, which is all the control asks for. The auditor may note that in the report, but it would not be considered a control exception because the company policy explicitly states it.
Unlike ISO 27001 certification, organizations don’t use SOC 2 to build a security program, as there is no one-size-fits-all approach to the control language. Instead, you use it to ensure your company aligns as closely with the SOC 2 control language, which is considered one of the gold standards of security compliance.
How to ask about SOC 2 if it’s not a certification?
The most accurate ways to ask a company if they meet SOC 2 controls are:
“Have you completed a SOC 2 Type 2 audit?”
“Do you hold a current SOC 2 Type 2 report?”
“Are you SOC 2 compliant?”
How Ontra meets all 5 trust criteria for SOC 2
Trust is foundational at Ontra; it’s embedded in how we operate. In May 2025, Ontra completed an independent SOC 2 Type 2 audit covering the period from January 1 to December 31, 2024. The audit covered all five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Our controls were designed and operated effectively throughout the year. We’ve completed the audit with no exceptions for 2025 and are awaiting our most recent report.
After receiving a clean SOC 2 report with no exceptions across all criteria, we continued to raise the bar. To further strengthen customer confidence, beyond the audit process, we integrated our systems with a continuous monitoring platform (Vanta) that verifies alignment with SOC 2 and ISO controls in real time.*
Customers can validate Ontra’s alignment to these controls and receive copies of Ontra’s SOC 2 report, ISO certification, and other security documents within Ontra’s Trust Center at trust.ontra.ai.
*The organizations referenced in this article have no affiliation with Ontra, and neither Ontra nor such organizations promote or endorse the other’s products or services.
