What does SOC 2 compliance mean when buying software?

SOC 2 (System and Organization Controls 2) is a security audit standard that verifies a vendor has proper controls for data security, availability, and confidentiality. A SOC 2 Type II report is the gold standard — it covers a 6–12 month period and verifies controls actually work in practice, not just exist on paper. For B2B software purchases involving sensitive data, requesting a SOC 2 report from vendors is a reasonable due diligence step.