SOC 2 Type II

Last updated: 2026-04-11 • ← All frameworks

Overview

SOC 2 Type II is an independent attestation, performed by a licensed CPA firm under AICPA standards, that evaluates the design and operating effectiveness of a service organization's controls over a defined observation period (typically six to twelve months). It is the most widely requested assurance report from enterprise procurement and security review teams in North America.

Current status

In progress — targeting Q4 2026

Backbuild is working toward SOC 2 Type II. Controls are aligned to the applicable Trust Service Criteria, the internal gap assessment is complete, and auditor selection is in progress. A Type I point-in-time report will be issued first, followed by an observation period leading to the Type II attestation targeted for Q4 2026.

Trust Service Criteria in scope

• Security (Common Criteria, CC1–CC9): control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management, and risk mitigation.
• Availability (A1): capacity planning, environmental protections, backup and recovery, and incident response for availability events.
• Confidentiality (C1): identification, protection, and disposal of confidential information throughout its lifecycle.

Processing Integrity and Privacy are not currently in scope. These criteria may be added in a future audit cycle based on customer demand and the evolution of the platform.

Control families implemented

• Logical access controls: single sign-on, multi-factor authentication, role-based access control, quarterly access reviews, and automated deprovisioning.
• Change management: peer-reviewed pull requests, mandatory CI checks, protected branches, and auditable deployment pipelines.
• Risk management: annual enterprise risk assessment, quarterly risk register reviews, and documented treatment plans.
• Monitoring: centralized log aggregation, tamper-evident audit trails, anomaly alerting, and 24x7 on-call coverage.
• Incident response: documented runbooks, tabletop exercises, severity classification, and post-incident review process.
• Vendor management: documented sub-processor inventory, due diligence reviews, and contractual data protection commitments.
• System operations: configuration baselines, patch management, vulnerability scanning, and capacity monitoring.

Requesting evidence

During the interim period before the Type II report is issued, qualified customers and prospects can request the following under a mutual non-disclosure agreement:

• Letter of intent confirming audit engagement and timeline
• Internal gap assessment summary and remediation status
• Control matrix mapped to Trust Service Criteria
• SOC 2 Type I report, once issued
• Bridge letter covering the gap between the Type I report and the customer's review date

When the Type II report is issued, it will be made available under NDA on a rolling basis. We will also publish a summary and any updated bridge letters through this trust site.