SOC 2 Type II

Data centers must demonstrate that security controls effectively operate throughout the entire 6-12 month audit period, including evidence of consistent access controls, change management, vulnerability assessments, and incident response.

This requires showing that security policies are not just documented but actively enforced, tested monthly or quarterly, and that remediation occurs within defined timeframes when control deficiencies are identified.

Auditors specifically examine access logs, firewall rules, patch management records, security training completion, and incident tracking to verify controls function as designed across different operational scenarios.

The Availability criterion requires data centers to demonstrate that systems remain accessible and operational according to defined service levels throughout the audit period.

This involves maintaining redundancy across power systems (dual feeds, UPS, generators), network connectivity (multi-carrier routing, failover mechanisms), and compute resources (clustered systems, geographic redundancy), with monthly monitoring and reporting of actual uptime metrics against promised SLAs.

Data centers must provide detailed evidence of maintenance windows, incident response timelines, recovery time objective (RTO) and recovery point objective (RPO) achievement, and the testing/validation of disaster recovery procedures during the audit period.

Data centers must show that all customer data and transactions processed through their systems are complete, accurate, and authorized before initiation.

This requires documented controls over data ingestion, validation rules enforced at the application layer, segregation of duties in transaction processing, reconciliation procedures comparing source records to processed outputs, and monitoring controls that detect incomplete or erroneous processing.

For multi-tenant environments, this includes demonstrating that customer data isolation is maintained and that processing in one tenant's environment cannot affect another's.

The Confidentiality criterion mandates that data centers restrict information access to authorized individuals only, with evidence that encryption is implemented for data in transit (TLS 1.2+) and at rest (AES-256 or equivalent), that key management procedures prevent unauthorized access, and that access controls use principle of least privilege

Data centers must document all employees with logical or physical access to customer data, enforce role-based access controls, require multi-factor authentication for privileged access, and maintain audit logs of all access attempts—both successful and failed—throughout the audit period.

Data centers handling personal information must demonstrate compliance with their stated privacy policies and applicable regulations (GDPR, CCPA, etc.) through controls covering data collection, usage restrictions, retention limitations, deletion procedures, and individual rights fulfillment (access requests, correction, deletion)

This includes evidence that data collection is limited to stated purposes, that personal data is not used for secondary purposes without consent, that retention schedules are enforced and deletion occurs within defined timeframes, and that data subject requests are processed within regulatory deadlines.

Throughout the audit period, data centers must maintain an active program that continuously monitors control effectiveness through automated alerts, periodic manual testing, and quarterly assessments.

This requires documented evidence that controls are tested monthly or quarterly (not just annually), that test results are reviewed by management, that exceptions are escalated, and that remediation plans address any control failures or gaps.

Auditors specifically verify that the data center's control testing program extends across all five TSC domains and that testing methodology is rigorous enough to detect operating failures.

Data centers must maintain complete audit logs and evidence repositories covering the entire audit period, with logs retained for analysis, access controls verified through archived firewall rules and access lists, security patches documented with installation dates and verification, and incident reports archived with root cause analysis and remediation proof.

All control evidence must be accessible to auditors and retained according to data center policies, typically 12-24 months minimum, with logs protected against unauthorized modification and stored in locations independent of the systems they monitor.

Data centers must document and control all changes to infrastructure, applications, and configurations throughout the audit period, demonstrating that changes follow defined procedures including change request documentation, approval workflows, testing in non-production environments, and post-implementation verification.

Auditors review the change log to ensure no emergency or unauthorized changes occurred outside documented procedures, that changes affecting security or availability were tested for impact, and that rollback procedures were available if changes caused failures.