SOC 2 Overview
Document ID: SOC-001
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Approved: March 2026
Next review: March 2027
1. What is SOC 2?
SOC 2 (System and Organization Controls 2) is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) . It evaluates an organisation's controls relevant to the Trust Services Criteria (TSC) : Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 is the de facto standard for SaaS companies serving US enterprise customers.
2. Why SOC 2 for CTW Data Solutions?
Driver
Detail
Enterprise sales US and global enterprise customers require SOC 2 reports as part of vendor assessment
Market access SOC 2 is expected alongside ISO 27001 for SaaS providers in the identity verification space
Customer trust Demonstrates independently audited security controls
Competitive advantage Differentiator vs competitors without SOC 2 compliance
Synergy with ISO 27001 ~70% control overlap — the ISMS already addresses most SOC 2 requirements
3. SOC 2 Report Types
Type
Description
Our Target
Type I Point-in-time assessment of control design
Q4 2026
Type II Assessment of control design + operating effectiveness over a period (typically 6-12 months)
Q2-Q3 2027
4. Trust Services Criteria in Scope
Category
In Scope
Rationale
Security (Common Criteria)✅ Yes
Mandatory for all SOC 2 engagements
Availability ✅ Yes
Quick-ID API uptime is critical for customers
Processing Integrity ✅ Yes
OCR accuracy and data processing correctness is core to the product
Confidentiality ✅ Yes
Customer API keys, source code, and business data require protection
Privacy ✅ Yes
Government ID images and personal data are processed
5. SOC 2 vs ISO 27001 Alignment
Aspect
ISO 27001
SOC 2
Origin International (ISO)
US (AICPA)
Output Certificate (pass/fail)
Audit report (with opinion)
Auditor Accredited certification body
Licensed CPA firm
Scope ISMS
Trust Services Criteria
Control framework Annex A (93 controls)
Trust Services Criteria (~60 points of focus)
Overlap —
~70% overlap with ISO 27001
See: Control Mapping for detailed alignment.
6. Readiness Status
TSC Category
Current Readiness
Gap Summary
Security (CC)
🟡 ~80%
Most controls in place; gaps in log retention (30-day vs 90+ days), NDA formalisation, background check process
Availability (A)
🟡 ~70%
BCP documented; formal SLA monitoring needed
Processing Integrity (PI)
🟡 ~65%
OCR validation exists; formal accuracy monitoring needed
Confidentiality (C)
🟢 ~100%
Classification and DLP in place
Privacy (P)
🟢 ~100%
GDPR programme covers most requirements
See: SOC 2 Readiness Roadmap for gap closure plan.
7. Key Documents
March 9, 2026
March 9, 2026