SOC 2

What it is#

SOC 2 (Service Organization Control 2) is an auditing standard, defined by the AICPA, that examines how a service provider handles customer data against five "trust services criteria": security, availability, processing integrity, confidentiality, and privacy. An independent auditor performs the examination and issues a report.

There are two report types. A Type I report assesses whether the right controls are designed at a point in time. A Type II report assesses whether those controls actually operated effectively over a period — usually three to twelve months. Type II is the one enterprise buyers generally ask for.

Why it matters for agencies#

When an agency adopts a SaaS tool, that tool becomes a custodian of the agency's — and the agency's clients' — data. Larger clients' procurement teams know this, and increasingly ask the agency which of its tools can demonstrate independently audited controls. A SOC 2 report is the standard way a vendor answers that without the client having to take its word for it.

For an agency, a vendor's compliance posture is therefore not an abstraction — it's something that can surface in the agency's own client security reviews.

In SendBriefs specifically#

SendBriefs publishes its current security and compliance posture — including where SOC 2 readiness stands and what's audited versus in progress — on the Trust & security page, rather than implying a status it hasn't reached. Underlying controls such as an immutable audit log and a documented sub-processor list are the building blocks that posture is assembled from.