[{"data":1,"prerenderedAt":144},["ShallowReactive",2],{"blog_post:soc2-type-ii-government-software-vendors-questions":3},{"id":4,"uid":5,"url":6,"type":7,"href":8,"tags":9,"first_publication_date":10,"last_publication_date":10,"slugs":11,"linked_documents":13,"lang":14,"alternate_languages":15,"data":16},"ajFz6BIAACoA0ByN","soc2-type-ii-government-software-vendors-questions","\u002Fnews\u002Fsoc2-type-ii-government-software-vendors-questions","blog_post","https:\u002F\u002Fairlift.cdn.prismic.io\u002Fapi\u002Fv2\u002Fdocuments\u002Fsearch?ref=ajlszBEAACcAT_Jj&q=%5B%5B%3Ad+%3D+at%28document.id%2C+%22ajFz6BIAACoA0ByN%22%29+%5D%5D",[],"2026-06-22T17:11:38+0000",[12],"soc-2-type-ii-for-government-software-vendors-questions-every-agency-should-ask",[],"en-us",[],{"post_title":17,"author":23,"category":28,"date":29,"summary":30,"hero_image":34,"body":46},[18],{"type":19,"text":20,"spans":21,"direction":22},"heading1","SOC 2 Type II for Government Software Vendors: Questions Every Agency Should Ask",[],"ltr",[24],{"type":25,"text":26,"spans":27,"direction":22},"paragraph","cloudPWR Team",[],"insights","2026-06-16",[31],{"type":25,"text":32,"spans":33,"direction":22},"When a SaaS vendor claims SOC 2 Type II certification, that's the beginning of the conversation, not the end. Here's what state and local agencies need to actually dig into before signing.",[],{"dimensions":35,"alt":38,"copyright":39,"url":40,"id":41,"edit":42},{"width":36,"height":37},1125,750,"Server racks in a modern data center, representing cloud infrastructure security and compliance","Source: Pexels - Brett Sayles - free commercial use","https:\u002F\u002Fimages.prismic.io\u002Fairlift\u002FajFziI1P9HI4UlN-_hero-image.jpg?auto=format,compress","ajFziI1P9HI4UlN-",{"x":43,"y":43,"zoom":44,"background":45},0,1,"#ffffff",[47,75,86,112],{"variation":48,"version":49,"items":50,"primary":51,"id":72,"slice_type":73,"slice_label":74},"default","initial",[],{"body_text":52},[53,56,59,63,66,69],{"type":25,"text":54,"spans":55,"direction":22},"When a state agency puts out a software procurement RFP, \"SOC 2 Type II certified\" often appears as a checkbox requirement. The vendor checks it. The procurement team checks it off. Nobody asks what was actually in scope.",[],{"type":25,"text":57,"spans":58,"direction":22},"That's a problem. SOC 2 Type II is a real and meaningful certification, but it's flexible enough that two vendors can both hold it while having dramatically different security postures. Understanding what's actually being attested to requires asking a few specific questions that don't show up in standard vendor questionnaires.",[],{"type":60,"text":61,"spans":62,"direction":22},"heading3","What SOC 2 Type II Actually Tells You",[],{"type":25,"text":64,"spans":65,"direction":22},"SOC 2 is a framework created by the AICPA (American Institute of Certified Public Accountants). Type II specifically means the auditor didn't just inspect the company's controls at a single point in time. They tested whether those controls actually operated effectively over a period, typically six to twelve months. That's significantly more rigorous than Type I.",[],{"type":25,"text":67,"spans":68,"direction":22},"The framework is organized around five Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Vendors choose which criteria to include. A vendor with SOC 2 Type II covering only the Security TSC has a narrower attestation than one covering Security, Availability, and Confidentiality.",[],{"type":25,"text":70,"spans":71,"direction":22},"Scope also matters enormously. A report that covers only the vendor's internal corporate IT systems is very different from one that explicitly includes the production environment your agency's data will live in.",[],"body_text$979b3836-3334-4f66-8964-3e7bae143a1b","body_text",null,{"variation":48,"version":49,"items":76,"primary":77,"id":84,"slice_type":85,"slice_label":74},[],{"quote_copy":78,"quote_source":82,"quote_image":83},[79],{"type":25,"text":80,"spans":81,"direction":22},"The SOC 2 report tells the story, if you read it. You're entitled to ask for the full report — not just a summary letter or a badge on a vendor's website.",[],[],{},"quote$5fef56cf-10e6-4283-9f81-30f52c02f031","quote",{"variation":48,"version":49,"items":87,"primary":88,"id":111,"slice_type":73,"slice_label":74},[],{"body_text":89},[90,93,96,99,102,105,108],{"type":60,"text":91,"spans":92,"direction":22},"Questions Agencies Should Ask Before Signing",[],{"type":25,"text":94,"spans":95,"direction":22},"The SOC 2 report itself tells the story, if you read it. You're entitled to request a copy of the full report (the \"Type II report\" with auditor opinion and description of controls tested), not just a summary letter or a badge on a vendor's website.",[],{"type":25,"text":97,"spans":98,"direction":22},"Start with scope: does the report explicitly cover the production systems, data centers, and cloud infrastructure that will handle your data? Ask the vendor which cloud provider and regions are included.",[],{"type":25,"text":100,"spans":101,"direction":22},"Ask about the audit period. A report issued in November 2025 covering April through October 2025 is current. A report issued in November 2023 is not, regardless of when it's presented to you. Ask when the next audit is scheduled.",[],{"type":25,"text":103,"spans":104,"direction":22},"Ask which Trust Services Criteria are in scope. If you're handling personally identifiable information or medical data, you want to see the Confidentiality TSC included. For a system your agency will depend on operationally, Availability matters too.",[],{"type":25,"text":106,"spans":107,"direction":22},"Ask about exceptions. Auditors note \"exceptions\" when a tested control didn't operate effectively during the period. A few minor exceptions with documented remediation plans are normal. A pattern of repeated exceptions in the same control areas is a warning sign.",[],{"type":25,"text":109,"spans":110,"direction":22},"Finally, ask whether the report covers subservice organizations. Many SaaS vendors use cloud infrastructure providers, backup vendors, or third-party authentication services. If those are \"carved out\" of the report, the vendor isn't attesting to the controls those providers have in place. You may want their reports too.",[],"body_text$f5975357-13fc-4d17-9e6e-cd59f66f0a5e",{"variation":48,"version":49,"items":113,"primary":114,"id":143,"slice_type":73,"slice_label":74},[],{"body_text":115},[116,119,122,125,128,131,134,137,140],{"type":60,"text":117,"spans":118,"direction":22},"Why This Matters for Government Applications",[],{"type":25,"text":120,"spans":121,"direction":22},"State and local government software handles data that carries specific legal obligations: HIPAA for medical data, PII protection requirements that vary by state, and in some cases federal data handling standards depending on the program.",[],{"type":25,"text":123,"spans":124,"direction":22},"SOC 2 doesn't replace those obligations. It's a general commercial standard. An agency handling medical cannabis patient records, for example, needs more than a security controls audit. It needs a vendor that has signed a Business Associate Agreement (BAA), uses encryption that meets applicable standards, and can demonstrate data residency within the United States.",[],{"type":25,"text":126,"spans":127,"direction":22},"The certification is a starting point. It means the vendor takes security controls seriously enough to hire an independent auditor to test them. But a thorough vendor evaluation still requires reviewing the actual report, understanding what's in scope, and confirming the certification covers what it says it does.",[],{"type":60,"text":129,"spans":130,"direction":22},"cloudPWR's Approach",[],{"type":25,"text":132,"spans":133,"direction":22},"cloudPWR holds SOC 2 Type II certification covering its production infrastructure on Microsoft Azure. The certification covers security controls for data handling in our government-facing applications, including AIRLIFT Connect.",[],{"type":25,"text":135,"spans":136,"direction":22},"We're also a GovRAMP member, the state and local government counterpart to the federal FedRAMP program. We operate under signed BAAs for applications handling health-related data.",[],{"type":25,"text":138,"spans":139,"direction":22},"When agencies ask to review our SOC 2 report, the answer is yes. We want procurement teams asking the right questions. An agency that scrutinizes vendor security certifications is doing exactly what it should, and it's a good indicator of a thoughtful technology partner.",[],{"type":25,"text":141,"spans":142,"direction":22},"If you're evaluating document integration software and want to walk through our compliance posture, contact the cloudPWR team.",[],"body_text$3ad9a1f2-7043-4221-826c-7e07bfee5048",1782148331726]