SOC 2 Type II — operational controls audited
Annual SOC 2 Type II report covering Security, Availability and Confidentiality for Italy customers.
Trust Service Criteria in scope
Security (mandatory) + Availability + Confidentiality. Privacy as separate scope on request. Each TSC has defined control objectives — auditor tests design and operating effectiveness over the period.
Type II vs Type I
Type II tests controls over a period (typically 12 months) — not just a point in time. This is what enterprise procurement asks for. We do Type II with 12-month coverage; bridge letter covers the gap until the next report.
Reporting cadence and access
New report published annually, replaced when superseded. Bridge letter every quarter covers continuity until next audit. Both shared under NDA with prospects and customers.
Italy — local relevance
Italy enterprise buyers (banks, insurers, public sector) increasingly request SOC 2 as part of vendor questionnaires. We pre-empt the questionnaire — report shared with first NDA. Milano sales team trained on SOC 2 vocabulary.
FAQ
Type II or Type I?
Type II — covers a period. Type I is point-in-time, less useful for ongoing trust.
Auditor name?
Big-4 affiliate — name disclosed under NDA. Independence confirmed annually.
Sub-service organizations?
Cloud and data centre providers are sub-service organizations — handled via inclusive method with carve-out of their controls.
Findings / exceptions?
Report discloses any exceptions found. We respond to each with management response in the report.
Privacy in scope?
Privacy TSC available on request — adds GDPR-aligned controls coverage.