SOC 2 Type II for Virtual Data Rooms
SOC 2 (Service Organization Control 2) is an AICPA-developed audit framework focused on five trust services criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II reports cover operating effectiveness of controls over a period (typically six to twelve months).
For European VDR procurement, SOC 2 Type II is often required when US bidders or US-headquartered advisors are involved, or when the buyer is a US-listed group. It complements ISO 27001 (process-based) and BSI C5 (German cloud-specific) rather than replacing them.
Last updated: May 2026.
Five Trust Services Criteria
- Security. Common Criteria — protect against unauthorized access.
- Availability. System availability for operation as agreed.
- Processing Integrity. Processing is complete, valid, accurate, timely, authorized.
- Confidentiality. Confidential information is protected.
- Privacy. Personal information is collected, used, retained, disclosed, disposed of in conformity with the privacy policy.
VDR Providers with SOC 2
- [Papermark](/providers/papermark) — SOC 2.
- [netfiles](/providers/netfiles) — SOC 2.
- [Brainloop](/providers/brainloop) — SOC 2.
- Most major US-headquartered providers (Datasite, Intralinks) hold SOC 2 by default.
Frequently Asked Questions
Is SOC 2 enough for European deals?
On its own, sometimes. For BaFin / FINMA / regulated industries, layer with ISO 27001 + BSI C5. For routine European M&A, SOC 2 + ISO 27001 + GDPR DPA is the modern baseline.
What is SOC 2 Type 1 vs Type 2?
Type 1 attests control design at a point in time; Type 2 attests operating effectiveness over a period (typically six to twelve months). Type 2 is the meaningful version.