Definition A widely used independent audit report on a service provider's controls for security, availability, processing integrity, confidentiality, and privacy, developed by the American Institute of Certified Public Accountants (AICPA). A standard item in vendor security diligence.
In more depth
A SOC 2 report is produced by an independent auditor who evaluates a provider's controls against the AICPA's Trust Services Criteria; a Type I report assesses control design at a point in time, while a Type II report tests how controls operated over a period. Law firms routinely request SOC 2 Type II reports when vetting AI vendors that will touch client data. A SOC 2 covers organizational controls—it does not measure whether an AI model's outputs are accurate.
About the editor: MHSB Solutions, Research desk. MHSB Solutions is not a law firm. This glossary is educational information, not legal advice.
Educational information, not legal advice. AI terminology and tools change quickly; definitions reflect usage as of the last-updated date. For what bar associations and courts actually require of lawyers using AI, see legalaicompliance.help and consult a licensed attorney in your jurisdiction.