What SOC 2 Type II Actually Is
SOC 2 is a security framework developed by the AICPA for service organizations that store or process customer data. There are two levels. A Type I report confirms that a vendor has described their controls accurately at a point in time. A Type II report goes further: auditors test whether those controls actually operated continuously and effectively over an extended observation period, typically six to twelve months.
The difference matters in practice. A vendor can claim "SOC 2-ready" or "SOC 2-compliant" without a Type II report. Any security team with a Saturday afternoon can write down control descriptions. Earning a Type II report requires months of evidence: access logs, incident records, change management tickets, vulnerability scan results. An independent auditor reviews the full body of evidence and issues a formal opinion on whether controls worked as designed.
We are now Type II certified. The monitoring period is behind us. The auditors reviewed the evidence and signed off.
What the Audit Covered
Our Type II report covers four of the five trust service criteria defined by the AICPA.
Security. Logical and physical access controls, network monitoring, vulnerability management procedures, and incident response. This includes how we grant and revoke access, how we detect anomalies, and how we respond when something goes wrong.
Availability. Infrastructure monitoring, redundancy architecture, and disaster recovery planning. The controls that keep the platform running and define recovery time targets when it does not.
Confidentiality. Data classification, encryption in transit and at rest, and controls around who can see what. This is particularly relevant for CRE deal workflows where one firm's pipeline data should never be visible to another firm's users on a shared platform.
Processing integrity. Controls that ensure deal data is processed accurately and completely. For a platform that extracts financial data from source documents and populates underwriting models, this criterion covers the accuracy guarantees built into the extraction and validation pipeline.
See the full breakdown of how AcquiOS handles data isolation, RBAC, private cloud deployment, and audit trails on the Security & Architecture page.
Why It Matters for Your Firm
Two situations where this directly affects your AcquiOS evaluation.
The first is procurement. Institutional investors, family offices, and PE firms increasingly require SOC 2 Type II reports before approving software for deal workflows. If your legal, compliance, or IT team is a bottleneck in your evaluation, the report removes that bottleneck. We can provide it directly to your security team under a standard NDA as part of your vendor diligence process.
The second is operational confidence. AcquiOS handles some of the most sensitive pre-close data a firm produces: rent rolls, T-12 financials, purchase price negotiations, broker relationships, IC memos. The certification is an independent third party confirming that the controls around that data are real, tested, and working. Not a marketing claim. Not a self-assessment. An auditor's opinion backed by months of evidence.
For teams managing multiple deals simultaneously across analysts and associates, SOC 2 Type II also validates the underlying access control architecture. Your firm's data is segregated from other firms on the platform. Access logs are maintained. Permissions can be audited. The certificate confirms those controls held up under scrutiny over the observation period.
Getting the Report
SOC 2 is not a one-time check. Type II certification requires continuous monitoring and annual re-certification. We plan to maintain that cadence and will publish updates here as each cycle completes.
If your firm needs the report for vendor due diligence, there are two ways to request it. Send a note to sales@acquios.ai with your firm name and point of contact. Or raise it during your demo conversation and we will send it over before your security team's review window.
The full architecture detail, including private cloud deployment options, data residency controls, RBAC configuration, and audit log specifications, is on the Security & Architecture page.