Trust Services Criteria
SOC 2 — get audit-ready for your Type II report
SOC 2 is the AICPA's reporting framework that lets a service organization demonstrate how it protects customer data. An independent CPA firm examines your controls against the Trust Services Criteria and issues an attestation report — a SOC 2 Type I report tests the design of controls at a point in time, while a Type II report tests their operating effectiveness over a period (commonly 3–12 months).
HAiCapita helps you implement the controls and collect the evidence across that observation window; the report itself is always issued by a licensed CPA firm after their examination — never by us. We get you audit-ready.
The five Trust Services Criteria
SOC 2 is built on five Trust Services Criteria. Security (the common criteria) is mandatory in every report; Availability, Processing Integrity, Confidentiality and Privacy are added based on the commitments you make to customers. The common criteria are organized around the COSO framework — control environment, communication, risk assessment, monitoring and control activities — so scoping your report means choosing which criteria apply, then evidencing the controls beneath them.
How HAiCapita helps
Adopt a pre-built Trust Services Criteria control library scoped to the criteria you commit to. Run gap analysis to see exactly where you stand before the auditor arrives. Because a Type II report tests operating effectiveness over time, evidence freshness matters: HAiCapita collects evidence on a schedule and on demand — including screenshots and connector pulls — versioned with chain-of-custody and freshness/expiry tracking in a tamper-evident (WORM) audit trail, so you can hand your auditor a clean package spanning the whole observation period.
One control set, many frameworks
SOC 2 overlaps heavily with ISO 27001 and other security frameworks. Author a control once and crosswalk it to ISO/IEC 27001, NIST CSF, PCI DSS and the Egypt PDPL — so the same access-review, change-management or incident-response control and its evidence satisfy your SOC 2 examination and every other framework it maps to at the same time.
Sovereign — SaaS or fully air-gapped
Prepare for SOC 2 as multi-tenant SaaS in-region, or fully air-gapped on your own infrastructure with no external egress and no phone-home — the same platform either way. Your control narratives, policies and the evidence you assemble for the auditor stay within your jurisdiction. (HAiCapita itself dogfoods this program toward its own SOC 2 Type 2 readiness.)
Frequently asked questions
Does HAiCapita make my organization SOC 2 certified?
SOC 2 isn't a certification — it's an attestation report. HAiCapita gets you audit-ready: it provides the Trust Services Criteria control library, gap analysis and the evidence collected over your observation period. The SOC 2 report itself is issued by a licensed CPA firm after their independent examination.
What's the difference between SOC 2 Type I and Type II?
A Type I report tests whether your controls are suitably designed at a single point in time. A Type II report goes further and tests whether those controls operated effectively over a period — commonly 3 to 12 months. Type II is what most enterprise customers ask for, which is why continuous evidence collection over the observation window matters.
Which Trust Services Criteria do I need?
Security (the common criteria) is required in every SOC 2 report. You add Availability, Processing Integrity, Confidentiality and Privacy based on the commitments you make to your customers. HAiCapita lets you scope your control set to exactly the criteria that apply, so you don't evidence controls you never committed to.
Can SOC 2 evidence be collected in an air-gapped deployment?
Yes. The full SOC 2 readiness capability runs in the fully air-gapped, on-premise deployment — no external egress, entitlements from a locally-verified signed license — so the control narratives and evidence you assemble for your auditor stay entirely within your jurisdiction.