Security
What a SOC 2 Type II audit actually proves
Compliance badges get thrown around loosely. Here is what our audit covers, what it does not, and the questions to ask any vendor.
Marcus Lee
April 15, 2026 · 9 min read

A SOC 2 Type II report is one of the most cited and least understood artifacts in vendor security. Here is how to read one.
Type I vs. Type II
Type I describes controls at a point in time. Type II tests that those controls operated effectively over a period — usually several months. Type II is the one that means something.
- Check the trust service criteria in scope, not just the logo.
- Read the auditor exceptions — that is where the truth lives.
- Confirm the observation period is recent and continuous.
A badge is marketing. The report is evidence. Always ask for the report.
— Marcus Lee


