SOC 2 Compliance

Demonstrate security and trust when using AI with customer data

The Gold Standard for SaaS Security

SOC 2 (Service Organization Control 2) is an auditing framework that verifies your organization's security controls. Enterprise customers increasingly require SOC 2 compliance, especially when you process their sensitive data—including with LLMs.

Trust Services Criteria (TSC)

Security (Required)

Protection against unauthorized access, use, or modification of information.

LLM Relevance: Access controls for who can send data to LLMs, encryption, network security

Availability

System is available for operation and use as agreed.

LLM Relevance: LLM API uptime, redundancy, disaster recovery plans

Processing Integrity

System processing is complete, valid, accurate, timely, and authorized.

LLM Relevance: Quality controls on LLM outputs, validation procedures, error handling

Confidentiality

Information designated as confidential is protected.

LLM Relevance: Data sent to LLMs not leaked, vendor data isolation, no training on your data

Privacy

Personal information is collected, used, retained, disclosed, and disposed of in accordance with privacy commitments.

LLM Relevance: Privacy policies disclose LLM usage, data minimization, retention policies, data subject rights

LLM Vendor SOC 2 Reports

If you're SOC 2 certified (or pursuing it), your auditor will want to see SOC 2 reports from your LLM vendors. This demonstrates you're using secure third-party services.

✓ Major LLM Vendors with SOC 2 Reports:

Google Cloud (Vertex AI) - SOC 2 Type II available
AWS (Bedrock) - SOC 2 Type II available
Microsoft Azure (OpenAI Service) - SOC 2 Type II available
Anthropic - SOC 2 Type II (request from sales)
OpenAI - SOC 2 Type II for API (request from enterprise sales)

⚠️ Type I vs. Type II Reports

Type I: Controls are appropriately designed at a specific point in time.

Type II: Controls are operating effectively over a period (usually 6-12 months). Type II is preferred.

Maintaining SOC 2 with LLMs

Control Requirements

Access Controls

  • • Role-based access to LLM APIs
  • • Multi-factor authentication
  • • Regular access reviews
  • • API key rotation policies

Data Encryption

  • • TLS for data in transit
  • • Encryption at rest (vendor responsibility)
  • • Key management procedures

Monitoring & Logging

  • • Log all LLM API calls
  • • Monitor for anomalies
  • • Centralized log management
  • • Retention per policy

Vendor Management

  • • Vendor risk assessments
  • • Annual SOC 2 report reviews
  • • Contractual security requirements
  • • Incident notification procedures

Documentation Your Auditor Will Request

  • • List of all LLM vendors and services used
  • • Vendor SOC 2 Type II reports (within last 12 months)
  • • Contracts/agreements with LLM vendors
  • • Data flow diagrams showing what data goes to LLMs
  • • Access control policies and user access lists
  • • API key management procedures
  • • Incident response plans for LLM-related security events
  • • Evidence of monitoring and logging

SOC 2 Best Practices for LLM Usage

DO: Request Vendor SOC 2 Reports Early

Don't wait until audit time. Get reports before committing to a vendor.

DO: Document Control Inheritance

Show how vendor controls satisfy your SOC 2 requirements (carve-out approach)

DO: Implement Change Management

Document and approve changes to LLM integrations and configurations

DO: Test Controls Regularly

Quarterly reviews of access logs, encryption, and monitoring effectiveness

DON'T: Use Vendors Without SOC 2

If you're SOC 2 certified, using non-SOC 2 vendors creates audit risk

DON'T: Skip Vendor Risk Assessments

Even with SOC 2 reports, assess residual risks and compensating controls

Maintain SOC 2 Compliance with AI

We can help you implement SOC 2-compliant AI workflows and prepare for audits

Schedule a Consultation Back to Home