LawyerAILawyerAIIndependent Reviews
  • Search
  • Categories
  • Tag
  • Collection
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
LawyerAILawyerAI
  1. Home
  2. ›
  3. Glossary
  4. ›
  5. SOC 2 Type II Compliance

SOC 2 Type II Compliance

An independent CPA audit confirming a vendor's security controls operated effectively over 6–12 months against AICPA Trust Service Criteria.

Last reviewed: 2026/05/22

Definition

Why It Matters for Lawyers

How AI Tools Handle It

Frequently Asked Questions

Does SOC 2 Type II mean the vendor's AI outputs are accurate?
No. SOC 2 Type II evaluates information security controls — access management, encryption, monitoring, and incident response. It says nothing about whether the AI model produces accurate legal research, whether citations are real, or whether the system hallucinates. Accuracy and security are separate evaluation dimensions. A vendor can be SOC 2 certified and still produce a 17% error rate on legal queries (as Stanford RegLab found in 2024). Treat security certification and accuracy verification as independent due diligence tracks.
Can a vendor claim SOC 2 compliance without a Type II audit?
Yes, and this distinction matters. "SOC 2 compliant" or "SOC 2 Type I certified" are weaker claims than "SOC 2 Type II certified." Type I only confirms controls were designed appropriately at a point in time. Vendors sometimes use "SOC 2 compliant" to mean they have completed a readiness assessment or a Type I audit. Always ask specifically: "Do you have a current SOC 2 Type II report, and can you provide it?"
Is SOC 2 Type II the same as GDPR compliance?
No. SOC 2 Type II is a US framework developed by the AICPA. GDPR is EU regulation governing personal data processing. A vendor can be SOC 2 Type II certified and still fail GDPR compliance requirements — for example, if it transfers EU personal data to the US without adequate safeguards (see Schrems II), or if it lacks a proper Data Processing Agreement. For EU matters, SOC 2 Type II is a useful signal but must be supplemented by GDPR-specific contractual and technical verification.

Related Concepts

Security

ISO 27001 (Information Security Standard)

ISO/IEC 27001 is an internationally recognised standard requiring organisations to establish and maintain a certified Information Security Management System (ISMS).

Security

Data Residency for Legal AI

Where a legal AI vendor physically stores and processes client data — a compliance requirement under GDPR, data sovereignty laws, and attorney confidentiality obligations.

Security

Zero Data Retention (ZDR)

An AI vendor commitment that customer inputs and outputs are not stored beyond the immediate processing session — the strongest available privacy assurance for sensitive legal queries.

Related Tools

  • Harvey AI

    The most expensive legal AI in the market — Am Law 100 firms only.

  • Lexis+ AI

    Conversational legal research with real-time Shepard's citation validation.

  • Spellbook

    AI contract drafting and review inside Microsoft Word for transactional lawyers.

  • Legalfly

    European-compliant AI legal platform with built-in GDPR safeguards for contract review and research.

  • Ironclad

    Full-stack CLM with native AI for contract drafting, approval, and analytics.

Related Reading

  • Legal AI Security: What Every Law Firm Must Verify Before Adoption

Last reviewed: 2026/05/22. Definitions are written by the LawyerAI Editorial team. We do not accept affiliate commissions; Featured placement is clearly labeled and does not influence editorial content.

← All glossary terms
LawyerAILawyerAI

Independent Reviews

The independent directory of AI tools for lawyers — reviewed by methodology, not by ad budget.

X (Twitter)
Tools
  • Search
  • Categories
  • Tag
  • Collection
Resources
  • Blog
  • Compare
  • Glossary
  • Solutions
  • Pricing
  • Submit
  • Suggest a Tool
  • Newsletter
Company
  • About Us
  • Studio
Legal
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Refund Policy
  • Editorial Independence
  • Sitemap
Editorially independent. Methodology open and versioned.
© 2026LawyerAI Editorial

SOC 2 Type II is an attestation report issued by an independent Certified Public Accountant (CPA) firm that evaluates whether a service organization's internal controls over information security operated effectively over a defined audit period — typically six to twelve months. The report measures performance against the American Institute of Certified Public Accountants (AICPA) Trust Service Criteria (TSC), which cover five domains: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike a simple certification badge, a SOC 2 Type II report is a detailed technical and procedural document. It includes the auditor's opinion, management's description of the system, and specific test results for each control. Law firms and corporate legal departments use SOC 2 Type II as a baseline vendor assurance requirement before entrusting any cloud service with client data.

The distinction from SOC 2 Type I is fundamental: Type I evaluates whether controls are suitably designed at a single point in time (a snapshot). Type II evaluates whether those controls actually operated as designed throughout the audit period (a film, not a photograph). A vendor can pass a Type I audit immediately after installing new security tooling, but Type II requires consistent operational performance over months. For legal procurement, Type II is the minimum meaningful standard.

Law firms operate under ethical obligations to protect client confidences. ABA Model Rule 1.6(c) requires lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." State bar ethics opinions — including those from New York (Op. 842), California (Op. 2010-179), and others — have consistently held that using cloud-based tools for client matters requires due diligence into the vendor's security posture.

SOC 2 Type II has become the de facto procurement standard for that due diligence. Most AmLaw 200 firms now require SOC 2 Type II certification — with the Confidentiality criteria in scope — for any cloud vendor handling client data. Many also require ISO 27001 certification alongside it. According to the ILTA 2024 Technology Survey, 78% of large law firms cited SOC 2 Type II compliance as a required or strongly preferred criterion when evaluating legal technology vendors.

The practical stakes are significant. A law firm that deploys a legal AI tool without verifying the vendor's SOC 2 status may face:

  • Bar discipline for Rule 1.6 violations if a breach occurs
  • Malpractice exposure if client data is compromised
  • Client contract violations — many sophisticated clients require firms to use only SOC 2-compliant vendors for their matters
  • Reputational harm that survives the technical incident itself

For in-house counsel, the stakes include GDPR Article 28 (processor agreements), CCPA contractual requirements, and board-level accountability for data governance failures.

Beyond the legal exposure, there is an operational argument. A vendor that has undergone a twelve-month SOC 2 Type II audit has demonstrated consistent implementation of access controls, change management procedures, incident response protocols, and monitoring. These are the controls that catch the insider threat, the misconfigured storage bucket, and the unpatched server before they become breach notifications.

How It Works (Technical)

The SOC 2 framework is structured around five Trust Service Criteria. Each criterion maps to a set of common criteria (CC series controls) and, where applicable, additional criteria. For legal AI procurement, three criteria are most relevant:

Security (CC series): The foundational criterion covering logical and physical access controls, system monitoring, change management, risk assessment, and incident response. Every meaningful SOC 2 report includes Security. The CC6 controls — logical access controls — are what prevent unauthorized parties from accessing your uploaded contracts or research queries. CC7 covers system operations monitoring; CC8 covers change management to ensure software updates don't introduce new vulnerabilities.

Confidentiality: This criterion specifically addresses whether the vendor protects information designated as confidential according to its agreements. For law firms, this is the most directly relevant criterion beyond Security. The Confidentiality criteria require the vendor to have controls for identifying confidential data, protecting it from unauthorized disclosure, and disposing of it properly. A vendor audit that includes Security but omits Confidentiality provides materially weaker assurance for legal use cases.

Availability: Covers whether systems meet uptime commitments. Relevant for tools integrated into litigation workflows where downtime has deadline consequences.

Processing Integrity and Privacy are less commonly included in legal AI vendor reports. Processing Integrity would theoretically address whether AI outputs are complete and accurate — but the SOC 2 framework is not designed to evaluate AI model accuracy, a critical limitation discussed below.

The audit process involves the CPA firm testing a sample of the vendor's controls against documented procedures. The report will state whether each tested control "met the criteria" or include a noted exception. Qualified opinions (where exceptions are significant enough to undermine the overall assurance) should be treated as disqualifying in legal procurement.

How Legal AI Vendors Address It

Harvey AI holds SOC 2 Type II certification covering Security and Confidentiality criteria — the combination most directly relevant to law firm use. Harvey's enterprise agreements include explicit commitments on no training of models on customer data alongside the SOC 2 attestation. The primary limitation: Harvey's certification covers its own infrastructure, but law firms should also verify the underlying model provider's (typically OpenAI or Anthropic API) data handling terms, as the SOC 2 report covers the vendor layer, not the model layer.

Lexis+ AI (RELX/LexisNexis) has SOC 2 Type II certification for its enterprise offerings. LexisNexis is an established information services company with mature security practices. The key verification step: confirm which Trust Service Criteria are in scope for the specific contract tier being purchased. Enterprise agreements often include stronger commitments than standard subscriptions.

Spellbook (Rally) holds SOC 2 Type II certification appropriate for its law firm contract review use case. Spellbook operates on a smaller scale than the large enterprise platforms; the SOC 2 certification provides baseline assurance. Limitation: the audit period and scope of criteria should be verified directly — a report issued eighteen months ago may not reflect current infrastructure.

LegalFly combines SOC 2 Type II with ISO 27001 certification, making it one of the few legal AI tools with dual certification. This combination is particularly relevant for EU and UK law firms, where ISO 27001 is the more recognized standard among data protection regulators. The ISO 27001 certification provides independent verification of the information security management system, while SOC 2 Type II provides the operational controls assurance.

Ironclad holds SOC 2 Type II certification relevant to its contract lifecycle management operations. For in-house legal departments using Ironclad for contract operations, the certification covers the platform's handling of executed agreements, signature workflows, and contract data repositories. Limitation: CLM platforms often integrate with external e-signature services and CRM systems; verify that the SOC 2 scope covers the full data flow, not only the Ironclad core platform.

How Lawyers Should Verify and Apply It

  1. Request the full report, not the summary letter. Vendors often provide a one-page "SOC 2 Certified" attestation letter. This is not the same as the report. Request the full SOC 2 Type II report. Legitimate enterprise vendors will provide it under NDA. If a vendor refuses to share the report itself, treat that refusal as a risk signal.

  2. Check the auditor's opinion and any exceptions. Read the independent auditor's report section first. Look for whether the opinion is unqualified (controls met criteria) or qualified (material exceptions exist). Then review the test results section — each tested control will list whether exceptions were noted. Multiple exceptions in access control or monitoring controls should prompt follow-up questions.

  3. Verify which Trust Service Criteria are in scope. The cover page of the report lists which criteria were audited. Security-only is the minimum; for legal use cases, Confidentiality must also be in scope. If Confidentiality is not included, negotiate to have it added or find a vendor that includes it.

  4. Check the audit period dates. A SOC 2 Type II report covers a specific period — e.g., January 1 to December 31, 2025. A report covering a period that ended more than twelve months ago provides limited current assurance. Ask for the most recent report and confirm when the next audit cycle begins.

  5. Document your review in the client file and vendor management records. Bar ethics guidance consistently frames cloud vendor due diligence as an ongoing obligation. Keep a record of when you reviewed the SOC 2 report, what criteria were covered, whether any exceptions were noted, and any follow-up representations obtained from the vendor. This documentation is your defense if a breach occurs and your due diligence is questioned.