The industry’s most attainable security certification.

What is SOC 67?

SOC 67 is a security certification for organizations that want to demonstrate they have thought about security, documented that they have thought about it, and received a document confirming this.

The framework certifies intent, awareness, and the position that security is, broadly speaking, a good thing. Certification is available to any organization that requests it. No organization has been found deficient.

Nothing on this site is issued by the AICPA or any regulator. SOC 67 is an independent community specification. If you need a licensed CPA’s opinion, engage one separately. Their conclusions may differ.

SOC 67 Trust Services Criteria

Fifty-eight pass/fail criteria across five categories—common controls, availability, processing integrity, confidentiality, and privacy—written in plain language.

Category labels mirror how assurance reports are usually organized. This is an independent specification, not an AICPA product. Criteria numbering is stable for mapping and versioning.

Category 01 — CC

Common Criteria

Criteria addressing the organization’s general security governance, logical and physical access controls, change management, and risk oversight.

CC1.1

The organization has at least one employee.

CC1.2

Employees know who their manager is.

CC1.3

The organization has an email address.

CC1.4

The organization’s product has a logout button.

CC1.5

The organization does not store passwords in plain text.

CC2.1

The organization has at least one policy document.

CC2.2

The organization does not reuse the same password across all its systems.

CC2.3

The organization’s test data does not contain real customer information.

CC3.1

Someone occasionally checks that things are working.

CC3.2

The organization has not accidentally made a private repository public.

CC3.3

The organization requires authentication to access customer data.

CC3.4

The organization’s error messages do not expose stack traces to users.

CC4.1

Not everyone at the organization has access to everything.

CC4.2

New employees are given a login when they join.

CC4.3

When someone leaves the company, their login is eventually removed.

CC4.4

Users can reset their password.

CC5.1

Old laptops are not given away with data still on them.

CC5.2

The organization does not email customer data to strangers.

CC5.3

The organization’s admin account is not named “admin.”

CC5.4

The organization’s database is not publicly accessible without a password.

CC5.5

The organization’s Wi-Fi has a password.

CC5.6

The organization’s employees do not share login credentials with each other.

CC6.1

The organization’s product does not expose one customer’s data to another customer.

CC6.2

The organization’s internal tools are not accessible from the public internet.

CC6.3

The organization backs up its data.

CC6.4

Customer accounts can be deleted.

CC7.1

When a security incident occurs, the organization attempts to stop it.

CC7.2

The organization does not CC all its customers on the same email.

CC7.3

Production and staging are different environments.

CC7.4

The organization’s product does not charge customers twice for the same transaction.

CC7.5

The organization’s source code is not in a public repository named “prod.”

CC8.1

The organization’s product sends a confirmation email when a user signs up.

CC8.2

The organization’s employees do not have admin access to systems they do not use.

Category 02 — A

Availability

Criteria addressing whether the organization’s systems are operational and accessible to users as committed.

A1.1

The organization’s website is accessible via the internet.

A1.2

The organization’s website has been up for at least one full calendar day during the audit period.

A1.3

The organization has a status page, or is aware that status pages exist.

A1.4

The organization’s product is accessible to users who have paid for it.

A1.5

The organization’s website loads in under 30 seconds.

Category 03 — PI

Processing Integrity

Criteria addressing whether the organization’s system processes data completely, accurately, and as intended.

PI1.1

The organization’s product does what it says it does.

PI1.2

When a user submits a form, the form is submitted.

PI1.3

Data saved by a user is still there the next time they log in.

PI1.4

The organization’s product does not show a different user’s account after login.

PI1.5

The organization’s product has been used by at least one person who does not work there.

PI1.6

The organization’s product does not randomly delete user data.

PI1.7

The organization’s product does not log users out in the middle of what they are doing.

Category 04 — C

Confidentiality

Criteria addressing the protection of information the organization has committed to hold confidential.

C1.1

Customer data is not stored in a shared Google Drive folder set to “Anyone with the link.”

C1.2

Customer passwords are not stored in a spreadsheet.

C1.3

One customer cannot see another customer’s data.

C1.4

Customer data is not included in the organization’s public blog posts.

Category 05 — P

Privacy

Criteria addressing the collection, use, retention, disclosure, and disposal of personal information.

P1.1

The organization has a privacy policy linked somewhere in the footer.

P2.1

Users are asked to click Accept before the organization collects their data.

P3.1

Personal data is used for the thing the user signed up for, and marketing.

P4.1

The organization’s third-party data sharing is disclosed in a document most users will not read.

P5.1

Users can unsubscribe from marketing emails.

P6.1

The organization’s privacy policy was not written entirely by an AI and never reviewed.

P7.1

The organization has heard of GDPR.

P7.2

The organization’s website has a cookie banner.

P7.3

The organization knows what data it collects, approximately.

Badge & certification

Example badge you can place on your site once you’re SOC 67 compliant.

SOC 67 compliant

Get Certified. Stay Certified.

SOC 67 certification is available to any organization that requests it through the program office. There are no formal prerequisites, minimum security posture requirements, or baseline infrastructure gates. The standard assessment window is sixty-seven business days, running concurrently with preparation activities described in the engagement letter.

Upon successful completion of the assessment—which, under program policy, is the expected outcome when scope and fees are agreed—your organization receives a SOC 67 Type II report package, a certification letter on official program letterhead, and digital badge assets for websites, README files, decks, and procurement questionnaires.

SOC 67 Type II certification is valid for sixty-seven months. Recertification follows the same process. Controls need not have changed; security posture need not have improved. A renewal request initiates the next engagement.

SOC 67 is an independent community specification and program, not an AICPA SOC examination. Relying parties should read criteria and reports carefully; substitution for CPA attestation under AICPA standards is not supported unless separately arranged with a licensed firm.

Specification status

This site hosts the authoritative text of the SOC 67 Trust Services Criteria and program overview. Versioned updates, report templates, and implementation guidance may be published as the framework matures. SOC 67 remains independent of AICPA publications; use in an AICPA SOC examination requires alignment with applicable AICPA guidance and a qualified practitioner.

SOC 67 is an independent community specification. It is not an AICPA product, SOC report type, or substitute for professional advice from a licensed CPA when you need attestation under AICPA standards.