Decagon raises $250M at a $4.5B valuation.
Learn more
Glossary

SOC 2 Type II

SOC 2 Type II is a compliance framework focused on how service organizations protect customer data over time. Developed by the AICPA, it evaluates controls related to security, availability, confidentiality, processing integrity, and privacy. Unlike a point-in-time assessment, Type II reports examine how controls perform over an extended period, typically three to twelve months.

In AI-based customer service, SOC 2 Type II provides evidence that systems behave reliably and securely during real-world operations, not just on paper.

How SOC 2 Type II works

An independent auditor evaluates a company’s controls against the Trust Services Criteria. For Type II, the auditor tests whether those controls are consistently operating over the reporting period. The final report includes detailed descriptions of systems, controls, and test results.

This depth is especially relevant for AI services that continuously process live customer interactions. It shows that safeguards around data access, system monitoring, incident response, and change management are sustained rather than temporary.

Why SOC 2 Type II matters in AI-based customer service

AI agents often integrate with CRMs, ticketing systems, and identity systems. SOC 2 Type II reassures customers that these integrations are governed by controls that prevent unauthorized access or misuse.

It also addresses reliability concerns. If an AI system fails or exposes data, the impact is immediate. SOC 2 Type II demonstrates operational maturity and readiness for enterprise use.

What SOC 2 does and does not cover

SOC 2 focuses on controls rather than outcomes. It does not certify that an AI model is accurate or unbiased. Instead, it evaluates whether processes exist to manage risks around system behavior, access, and change management.

For example, controls may require review processes when models are updated, reducing risks related to AI hallucinations or unintended outputs.

What SOC 2 Type II looks like in practice for AI teams

SOC 2 Type II shows up in day-to-day workflows for teams building and operating AI-based customer service. In practice, this often includes:

  • Strict access controls so only authorized employees and systems can view customer data or modify AI models
  • Ongoing monitoring and logging of AI interactions, system usage, and data flows to detect unusual behavior
  • Documented change management for model updates, prompt changes, and system integrations
  • Incident response procedures that clearly define how security or availability issues are identified, escalated, and resolved
  • Vendor and integration reviews to ensure third-party tools connected to the AI platform meet security expectations
  • Regular internal reviews to confirm controls are still working as designed over time

Together, these practices help ensure AI systems behave predictably, protect customer data, and remain trustworthy as they scale, which is exactly what SOC 2 Type II is designed to validate.

Considerations for SOC 2 Type II

Preparing for SOC 2 Type II can be resource-intensive. Teams must document workflows, enforce access controls, monitor system activity, and collect evidence continuously. However, the payoff is credibility, especially with regulated or enterprise customers.

SOC 2 Type II pairs well with standards like ISO 27001 and strong authentication practices. Together, they create a layered trust foundation that helps agentic AI customer service scale safely and responsibly.

Learn more

AI grounding
AI hallucinations
AI observability
AI tokens
AI voice agent
After-call work (ACW)
Agent quality score
Agentic AI
Authentication
Automatic Speech Recognition (ASR)
Automatic call distributor
Business process outsourcing (BPO)
Buy online, pick up in store (BOPIS)
Call center
Call center shrinkage
Contact center as a service (CCaaS)
Context window
Contextual analysis
Conversational AI
Conversational AI design
Conversational commerce
Dialogue state tracking (DST)
Dual-tone multi-frequency (DTMF)
Echo cancellation (AEC)
Entity extraction
Few-shot learning
Fine-tuning
Hill climbing
Human-in-the-loop (HITL)
ISO 27001
ISO 42001
Inference time
Intelligent Virtual Agent (IVAs)
Intent detection
Interactive voice response (IVR)
Knowledge base
Knowledge graph
Latency
Model context protocol
Model drift
Multi-turn conversation
Multimodal AI
Natural language processing (NLP)
Next-best action
Omnichannel customer support
Predictive dialer
Proactive customer support
Prompt engineering
Prosody
Public Switched Telephone Network (PSTN)
Reinforcement learning
Resolution-based pricing
Retrieval augmented generation (RAG)
SIP transfer
Sentiment analysis
Short message service (SMS)
Speech to intent
Speech to speech
Telephone Consumer Protection Act (TCPA)
Telephony
Ticket volume
Ticketing system
Voice activity detection (VAD)
Voice over Internet Protocol (VoIP)
WISMO (where is my order)
Workforce management

Deliver the concierge experiences your customers deserve

Get a demo