# SOC-2 Type II

### 🟢 SOC 2 Type II Compliant

<div data-full-width="true"><figure><img src="/files/58kDUhqnpYedWt18KBxg" alt=""><figcaption></figcaption></figure></div>

{% content-ref url="/pages/trmtTDgdW8qg56cvQz0s" %}
[Contabo SOC 2 T2](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii/contabo-soc-2-t2.md)
{% endcontent-ref %}

### 🟢 For SOC 2 Type II compliant...

* [x] We have established strong controls around the Trust Services Criteria (Security, Availability, etc.)
* [x] Everything is documented.
* [x] We are in the process of conducting a readiness assessment (gap analysis), implement continuous monitoring for several months.
* [x] We will undergo an audit by an independent CPA to prove your controls are effective over time, focusing on detailed evidence like access logs, incident reports, and training records.&#x20;

### Here's our step-by-step breakdown...

**1. Understand the Basics**

* **Trust Services Criteria (TSC)**
  * Decide which apply&#x20;
  * Security is mandatory
  * Others are Availability,
  * Processing Integrity
  * Confidentiality
  * Privacy
* **Type II**
  * Proves controls are operating effectively over a *period* (e.g., 3-12 months), not just at a single point in time (Type I).&#x20;

**2. Prepare our Environment**

* **Scope Definition:**&#x20;
  * Define the systems, processes, and data included in our audit.
* **Gap Analysis (Readiness Assessment)**
  * Identify weaknesses in our current security, access, and data handling.
* **Build Controls**
  * Implement policies (e.g., access, incident response, data classification) and technical configurations (e.g., RBAC, least privilege, encryption).
* **Documentation**
  * Create comprehensive policies, procedures, and evidence-gathering processes (e.g., asset inventory, data flow diagrams).&#x20;

**3. The Evidence & Audit Phase**

* **Evidence Window**
  * Start collecting proof (logs, reports, screenshots) that our controls are working as designed for several months.
* **Auditor Selection**
  * Hire an independent Certified Public Accountant (CPA) experienced in SOC 2.
* **Fieldwork**
  * The auditor reviews your documentation, interviews staff, and tests controls.
* **Reporting**
  * The CPA issues an opinion on our controls' effectiveness over the audit period.&#x20;

**4. Ongoing Maintenance**

* **Continuous Monitoring**
  * SOC 2 Type II isn't a one-time event
  * We know that we must maintain and update controls and evidence continually.
* **Employee Training**
  * Regularly train staff on security policies.&#x20;

### **Key for our Servers**

* We will focus on **Logical Access** (e.g. who can log in, what they can do)
* **Physical Access** (e.g. data center security)
* **Monitoring & Logging**
* **Incident Response**
* **Backup/Recovery** procedures.&#x20;

{% content-ref url="/pages/trmtTDgdW8qg56cvQz0s" %}
[Contabo SOC 2 T2](/lisaiceland/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii/contabo-soc-2-t2.md)
{% endcontent-ref %}

{% content-ref url="/pages/pD0nMCoibNNyguZMv5LF" %}
[Compliant LLM Gateway](/lisaiceland/platform+/subprocessors/compliant-llm-gateway.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nexas-ridewiz.gitbook.io/lisaiceland/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.