# SOC-2 Type II

### 🟢 SOC 2 Type II Compliant

<div data-full-width="true"><figure><img src="https://1182587842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHyzvhgDL3TrE6D5Hun93%2Fuploads%2FxjvyviRIpVGIow0b5aQ9%2Faivoiceplus_compliance.png?alt=media&#x26;token=29792f68-b839-4760-a259-36ee41e35707" alt=""><figcaption></figcaption></figure></div>

{% content-ref url="soc-2-type-ii/contabo-soc-2-t2" %}
[contabo-soc-2-t2](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii/contabo-soc-2-t2)
{% endcontent-ref %}

### 🟢 For SOC 2 Type II compliant...

* [x] We have established strong controls around the Trust Services Criteria (Security, Availability, etc.)
* [x] Everything is documented.
* [x] We are in the process of conducting a readiness assessment (gap analysis), implement continuous monitoring for several months.
* [x] We will undergo an audit by an independent CPA to prove your controls are effective over time, focusing on detailed evidence like access logs, incident reports, and training records.&#x20;

### Here's our step-by-step breakdown...

**1. Understand the Basics**

* **Trust Services Criteria (TSC)**
  * Decide which apply&#x20;
  * Security is mandatory
  * Others are Availability,
  * Processing Integrity
  * Confidentiality
  * Privacy
* **Type II**
  * Proves controls are operating effectively over a *period* (e.g., 3-12 months), not just at a single point in time (Type I).&#x20;

**2. Prepare our Environment**

* **Scope Definition:**&#x20;
  * Define the systems, processes, and data included in our audit.
* **Gap Analysis (Readiness Assessment)**
  * Identify weaknesses in our current security, access, and data handling.
* **Build Controls**
  * Implement policies (e.g., access, incident response, data classification) and technical configurations (e.g., RBAC, least privilege, encryption).
* **Documentation**
  * Create comprehensive policies, procedures, and evidence-gathering processes (e.g., asset inventory, data flow diagrams).&#x20;

**3. The Evidence & Audit Phase**

* **Evidence Window**
  * Start collecting proof (logs, reports, screenshots) that our controls are working as designed for several months.
* **Auditor Selection**
  * Hire an independent Certified Public Accountant (CPA) experienced in SOC 2.
* **Fieldwork**
  * The auditor reviews your documentation, interviews staff, and tests controls.
* **Reporting**
  * The CPA issues an opinion on our controls' effectiveness over the audit period.&#x20;

**4. Ongoing Maintenance**

* **Continuous Monitoring**
  * SOC 2 Type II isn't a one-time event
  * We know that we must maintain and update controls and evidence continually.
* **Employee Training**
  * Regularly train staff on security policies.&#x20;

### **Key for our Servers**

* We will focus on **Logical Access** (e.g. who can log in, what they can do)
* **Physical Access** (e.g. data center security)
* **Monitoring & Logging**
* **Incident Response**
* **Backup/Recovery** procedures.&#x20;

{% content-ref url="soc-2-type-ii/contabo-soc-2-t2" %}
[contabo-soc-2-t2](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii/contabo-soc-2-t2)
{% endcontent-ref %}

{% content-ref url="../../platform+/subprocessors/compliant-llm-gateway" %}
[compliant-llm-gateway](https://docs.lisaiceland.com/platform+/subprocessors/compliant-llm-gateway)
{% endcontent-ref %}