TL;DR

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. For SaaS recruitment platforms and ATS vendors, SOC 2 Type II certification is increasingly a non-negotiable requirement for enterprise sales.

What SOC 2 Means in Practice

SOC 2 is not a certification you achieve - it is a report you [commission](/glossary/commission). A licensed CPA firm conducts an audit of your controls against the relevant Trust Service Criteria and issues a report. SOC 2 Type I covers controls as designed at a point in time. SOC 2 Type II covers controls as operating effectively over a defined audit period - typically 6 or 12 months. Enterprise clients invariably require Type II, because a Type I report proves controls exist on paper but does not demonstrate they work consistently.

The Security criterion (also called the Common Criteria, CC) is mandatory. It covers logical and physical access controls, system operations, change management, and risk mitigation. The remaining four criteria - availability, processing integrity, confidentiality, and privacy - are optional; organizations select those relevant to their services. An ATS vendor that stores and processes candidate data for clients would typically include confidentiality and privacy criteria in addition to security.

The Common Criteria are mapped to the COSO framework and organized into categories: CC1 (Control Environment), CC2 (Communication and Information), CC3 (Risk Assessment), CC4 (Monitoring Activities), CC5 (Control Activities), CC6 (Logical and Physical Access Controls), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). CC6 and CC7 are most directly relevant to data security controls such as RBAC, encryption, and audit logging.

The audit period and report issuance date matter more than most buyers realize. A SOC 2 Type II report covering the period January to December 2023 says nothing about controls operating in 2025. Enterprise clients should request reports covering the most recent 12-month period and check the report issuance date. A vendor that cannot produce a report within the last 18 months has a gap that requires explanation.

Why SOC 2 Matters for Recruitment Teams

Enterprise procurement requires SOC 2 Type II as a baseline security credential for SaaS vendors. Large companies, financial services firms, healthcare organizations, and government contractors will not sign vendor contracts without seeing a SOC 2 Type II report. For ATS and recruitment software vendors, this is a commercial reality: the enterprise market segment is inaccessible without SOC 2 certification. The cost of the audit (typically $30,000-$80,000 for the first Type II engagement, $20,000-$50,000 for renewals) is an investment in market access, not just compliance.

For staffing agencies evaluating ATS vendors, requesting and reviewing SOC 2 reports is part of vendor due diligence. A vendor's SOC 2 report identifies which controls were tested, whether any exceptions were found, and what management's responses to exceptions were. Exceptions are not automatically disqualifying - a single exception in a year with a strong management response is different from systematic control failures. Agencies that sign DPAs with vendors without reviewing their SOC 2 reports are accepting security risk they cannot quantify.

Sub-processor management is a live issue in SOC 2 audits. When an ATS vendor uses third-party services (email providers, analytics platforms, infrastructure vendors), the SOC 2 audit will test whether the vendor has performed appropriate due diligence on those sub-processors. Vendors that cannot demonstrate they have reviewed their sub-processors' security will receive audit exceptions in CC9 (Risk Mitigation).

SOC 2 in Action

Candidately, an AI [recruitment platform](/glossary/recruitment-platform) built on Bullhorn's ATS infrastructure, holds SOC 2 Type II certification covering the Security and Confidentiality criteria. During an enterprise RFP from a global financial services firm, the firm's procurement team requests the most recent SOC 2 report, the scope of the audit, and management responses to any exceptions. Candidately provides the Type II report covering a 12-month period, with the scope including all production infrastructure and customer data processing. The two minor exceptions noted in the report relate to a third-party sub-processor's delayed security questionnaire response, with a management response showing the questionnaire was completed within 30 days and a new vendor review schedule implemented. The financial services firm's security team accepts the report and advances the evaluation. Competitors without Type II certification are eliminated.

Compliance Checklist