# SOC 2 Type 1 vs Type 2: The Difference That Determines Whether Your Vendor Is Actually Audited

> A plain-language breakdown of the two SOC 2 attestation types — why Type 1 is mostly marketing and why Type 2 is the only one procurement teams accept.

**Author:** Shawn Burst  
**Published:** 2026-05-18
**Category:** Vendor Security  
**Reading time:** ~5 min
**Tags:** SOC 2, Compliance, Vendor security, Audit, Buyer's guide

Canonical URL: https://directmail.io/blog/soc-2-type-1-vs-type-2-explained/

---

Vendors love to put "SOC 2 certified" on their marketing pages without specifying Type. There's a reason for that. Type 1 is much easier and faster to obtain than Type 2, and a lot of vendors hope buyers won't ask which one they have. Procurement teams always ask. So should you.

Here's the difference in plain language, and why it matters for any marketing platform you're considering.

## SOC 2 Type 1: a point-in-time snapshot

SOC 2 Type 1 is an attestation that — on a single specific date — the vendor's security controls were designed appropriately and were in place. An independent auditor reviews the vendor's policies, talks to the vendor's team, looks at the configuration of systems on that day, and writes a report saying *"yes, on December 15th, this vendor's controls matched their documented policies."*

Type 1 is achievable in 30-60 days if a vendor hires a consulting firm to help draft policies and configure systems for the audit. It's a real audit, but it tests design, not operation. A Type 1 report tells you the vendor was security-shaped on the day of the audit. It tells you nothing about whether the vendor's actual operations across a normal business year match those policies.

For procurement purposes, Type 1 is a flag that says *"we're working toward security maturity"* — not a flag that says *"we have it."*

## SOC 2 Type 2: an audit of ongoing operations

SOC 2 Type 2 is an attestation that — across a defined observation period of 6 to 12 months — the vendor's security controls operated effectively, not just existed on paper. The auditor doesn't just review policies on day one; they sample evidence across the observation window: ticket histories, access logs, code review records, deployment records, incident response activity, change management records, vulnerability scans, backup and recovery exercises.

The auditor's question isn't *"is this control documented?"* It's *"did this control actually operate as documented for the entire 6-12 months we're looking at?"*

The difference matters because security maturity isn't a policy library. It's an operational habit. Type 2 forces the vendor to be operationally secure on a Tuesday in March when nobody's looking — not just on the audit date when everyone's prepared. A vendor that maintains Type 2 across multiple consecutive years has built a security culture, not just a security poster.

## Why Type 2 is the procurement standard

When enterprise procurement teams write "SOC 2 certification required" in their vendor onboarding form, they almost universally mean Type 2 — even when they don't specify. Type 1 will sometimes get accepted as evidence of "in progress" with a commitment to achieve Type 2 within a defined window (typically 12 months). For ongoing vendors handling production data, Type 2 is the bar.

Three reasons:

**1. Type 1 is too easy.** A vendor can hire consultants, get into Type 1 shape in two months, pass the audit, then drift back to pre-audit operational habits. The Type 1 certificate is still valid for 12 months. Procurement teams know this.

**2. Type 2 evidence is much harder to fake.** Sampling six months of access logs, ticket records, and change management entries reveals what's actually happening. Tidying up paperwork won't survive auditor sampling across a long window.

**3. Type 2 requires the right kind of vendor.** Maintaining Type 2 year after year requires engineering process discipline, dedicated security ownership, and operational maturity. Vendors that maintain Type 2 are structurally different from vendors that don't. Procurement teams want the former.

## How to read a SOC 2 Type 2 report

When a vendor sends you their SOC 2 Type 2 report under NDA, the things to look for:

**The audit period.** Should be a specific date range, typically 12 months. Shorter periods (3 or 6 months) are sometimes used for first-time Type 2 audits — but the next year's report should cover the full 12.

**The auditing firm.** Should be a recognized SOC 2 auditor: Schellman, Coalfire, A-LIGN, Prescient Assurance, BDO, KPMG, Deloitte, EY, PwC, or a comparable firm. Lesser-known firms can be legitimate but warrant a search for the firm's reputation.

**Trust service criteria in scope.** Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories. Vendors handling sensitive marketing data should ideally cover Security + Confidentiality at minimum. Healthcare-adjacent vendors should add Privacy.

**Exceptions noted.** Every real Type 2 report has some exceptions — control instances that didn't operate as designed during the observation period. Reasonable exceptions, remediated, are normal. Zero exceptions across the full report is suspicious; either the controls weren't tested rigorously or the report has been redacted.

**Management's response.** The report includes management's response to any exceptions noted. Honest, specific responses with concrete remediation timelines are a positive signal. Vague responses are a flag.

**The report date.** Should be reasonably recent — within the past 14 months. If the most recent report is two years old, the vendor either let their certification lapse or hasn't completed the latest audit yet.

## How DirectMail.io's Type 2 program works

DirectMail.io maintains SOC 2 Type 2 certification across the five trust service criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. The audit is performed annually by an independent third-party firm. The current report is available to enterprise customers and qualified prospects under a mutual non-disclosure agreement.

The audit period covers a full 12 months. Trust service criteria in scope include all five. Subprocessor management, encryption practices, audit logging, access controls, and incident response are all in scope.

For procurement teams reviewing the report: NDA execution typically completes within 48 hours of request. The full vendor security packet — SOC 2 report, security questionnaire responses (SIG, CAIQ, custom), BAA / DPA / SCC documentation, subprocessors list — is delivered as a single package. A security review call with the platform infrastructure team is included in standard enterprise reviews.

The full security posture is documented on the [security page](/security).

## The deeper read

This post is part of a vendor security cluster covering procurement, liability, and operational practice:

- [SOC 2 Type 2 for Marketing Platforms: What Procurement Asks, and What "Yes" Actually Means](/blog/soc-2-type-2-marketing-vendor-procurement/) — what procurement teams actually look for
- [When a Direct Mail Vendor Has a Breach: Who's Actually Liable?](/blog/direct-mail-vendor-breach-liability/) — how liability flows in practice
- [The 8 Security Documents Your Direct Mail Vendor Should Produce in 48 Hours](/blog/direct-mail-vendor-security-documents/) — the document checklist

For the broader buyer's guide context, [How to Choose a Direct Mail Platform: 14 Questions That Actually Matter in 2026](/blog/how-to-choose-direct-mail-platform/) covers SOC 2 as one of fourteen platform-evaluation questions.

[Request the DirectMail.io SOC 2 Type 2 report under NDA](/contact) or [book a security review call](/product-demo).