SOC 2 Type 2 A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. These reports are issued by independent third party auditors covering the principles of Security, Availability, Confidentiality, and Privacy. What’s the primary purpose of this initiative? Provides an independent assessment of OneLogin’s security and privacy control environment. The assessment includes a description of the controls, the tests performed to assess them, the results of these tests, and an overall opinion on the design and operational effectiveness of the same. What’s the scope? OneLogin’s SOC 2 Type 2 Report covers the AICPA’s Trust Services Principles and Criteria for Security, Availability, Confidentiality, and Privacy. The report also includes a mapping of the controls tested to ISO/IEC 27001:2013 Annex A / ISO/IEC 27002:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, HIPAA security requirements, and FFIEC’s examination guidelines for GLBA Information Security. How often are you evaluated/audited? Audits are performed semiannually and a report covering July through December is issued in February and a report covering January through June is issued in August. Who performs the evaluation/audit? Armanino LLP performs the report audit. Who is the primary audience? Customers and relevant third parties with a business need.