What is SOC 2?

SOC 2 reports are the de facto standard for demonstrating that a SaaS or cloud service provider handles customer data responsibly. A Type I report evaluates the design of controls at a specific point in time, while a Type II report — the more rigorous and commonly requested version — evaluates both the design and operating effectiveness of controls over a period of typically 6-12 months.

The security criterion (also called the Common Criteria) is mandatory in every SOC 2 audit and covers logical and physical access controls, system operations, change management, and risk mitigation. Organizations must demonstrate that they protect information against unauthorized access throughout its lifecycle — including during sharing and transmission. Auditors examine policies, procedures, and technical controls, often scrutinizing how credentials and secrets are managed, shared, and rotated.

Achieving and maintaining SOC 2 compliance requires ongoing effort: documented security policies, access reviews, encryption practices, incident response procedures, vendor management, and employee training. Organizations preparing for SOC 2 often discover that informal practices — like sharing passwords over email or Slack — create audit findings that need remediation.

How Vaulted uses SOC 2

Vaulted helps organizations working toward or maintaining SOC 2 compliance by providing an auditable, secure method for sharing sensitive information. Instead of transmitting credentials through email or chat — which auditors flag as a control deficiency — teams can share secrets through Vaulted's encrypted, self-destructing links. The zero-knowledge architecture, client-side encryption, and automatic expiration align with SOC 2's confidentiality and security criteria, providing evidence that the organization protects sensitive data during sharing.