SOC 2

SOC 2 (Service Organization Control 2) is the AICPA-defined audit framework for service-organisation security, availability, processing integrity, confidentiality, and privacy controls — collectively the Trust Services Criteria. SOC 2 Type 1 reports validate that controls are designed appropriately at a point in time; Type 2 validates that controls operated effectively over a period (typically 6–12 months). Microsoft 365 has annual SOC 1, SOC 2, and SOC 3 audit reports available in the Microsoft Service Trust Portal. Customers in industries demanding SOC 2 attestation from their vendors typically request the Microsoft 365 SOC 2 report as part of customer due-diligence — Microsoft's report covers the underlying service, complementing your own SOC 2 if you have one.