Papermark SOC 2 Type II Compliance in 2026: Audit Scope and the 5 Trust Services Criteria

Papermark is SOC 2 Type II compliant. The audit covers the AICPA Trust Services Criteria (security, availability, confidentiality) across our virtual data room, document sharing, and analytics platform. For the full security and compliance posture (encryption, hosting regions, certifications, sub-processors), see the Papermark security page.

This guide explains what SOC 2 Type II means, what our audit covers, and why it matters for procurement teams assessing Papermark for M&A, fundraising, and regulated workflows.

Quick recap

• SOC 2 (System and Organization Controls 2) is an AICPA auditing standard for service organizations evaluating controls around customer data.
• SOC 2 Type II (vs Type I) evaluates the operating effectiveness of controls over a period of time (typically 6-12 months), not just their design at a single point.
• Five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, privacy.
• Papermark's SOC 2 Type II audit covers security (required), availability, and confidentiality criteria as standard, with privacy addressed through GDPR-aligned controls.
• Audit frequency: annual, with continuous monitoring between audits.
• Report availability: SOC 2 Type II report available to enterprise customers under NDA.
• Relationship to GDPR, HIPAA, ISO 27001: SOC 2 is a strong baseline; additional frameworks apply for specific regulated industries.

What is SOC 2 Type II compliance?

SOC 2 (System and Organization Controls 2) is a rigorous auditing procedure developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how service organizations handle customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Type II reports evaluate the operating effectiveness of controls over a 6-12 month audit period, not just their design at a single point in time.

SOC 2 is the dominant security-and-controls attestation for B2B SaaS in North America and is increasingly expected in Europe and Asia-Pacific. For virtual data rooms handling M&A, fundraising, and regulated diligence, SOC 2 Type II is a baseline procurement requirement, not a differentiator.

The five Trust Services Criteria

SOC 2 audits are scoped around five AICPA Trust Services Criteria. Every SOC 2 audit includes Security (the Common Criteria); additional criteria are added based on the service organization's scope.

Security. Protection against unauthorized access, disclosure, alteration, and damage. Covers access controls, encryption, network security, incident response, and change management. Required in every SOC 2 audit.

Availability. System availability for operation and use as committed or agreed. Covers uptime, resilience, disaster recovery, and capacity planning.

Processing integrity. System processing is complete, valid, accurate, timely, and authorized. Relevant for systems performing calculations or automated processing (less central for a VDR).

Confidentiality. Information designated as confidential is protected. Covers data classification, access controls, retention, and secure disposal.

Privacy. Personal information is collected, used, retained, disclosed, and disposed of in accordance with AICPA Generally Accepted Privacy Principles (GAPP). Overlaps with GDPR but is a distinct framework.

Papermark's SOC 2 Type II audit scope

Papermark's SOC 2 Type II audit covers Security (required Common Criteria) plus Availability and Confidentiality. Privacy is addressed through GDPR-aligned controls documented separately in our GDPR compliance overview.

Security controls

• Access management: multi-factor authentication, role-based access controls, scoped API tokens, regular access reviews.
• Data encryption: AES-256 at rest across all stored documents, metadata, and audit logs; TLS 1.3 in transit for all client-server communications.
• Network security: web application firewall, DDoS protection, rate limiting, intrusion detection and monitoring.
• Endpoint security: managed device policies, endpoint detection and response (EDR), and secure authentication for employee access.
• Physical security: secure cloud data centers (SOC 2 attested infrastructure providers) with 24/7 monitoring, access controls, and environmental safeguards.

Availability controls

• Uptime: operational monitoring with target SLAs on hosted Papermark plans.
• Redundancy: multi-region database backups and application-layer redundancy.
• Disaster recovery: documented DR procedures with recovery time objectives (RTO) and recovery point objectives (RPO) tested annually.
• Capacity planning: proactive scaling and performance monitoring.

Confidentiality controls

• Data classification: documented classification scheme for customer-uploaded content versus platform-operational data.
• Access restrictions: confidential customer data accessible only to authorized systems and employees on a need-to-know basis.
• Retention and disposal: documented retention schedules and secure deletion procedures aligned to customer contracts.
• Confidentiality agreements: NDAs and confidentiality obligations for employees and contractors.

Operational controls

• Incident response: 24/7 on-call rotation, documented IR procedures, breach notification workflows.
• Change management: controlled development lifecycle (Git-based review, staging deployments, production approvals).
• Vendor management: security assessments for sub-processors and third-party vendors.
• Employee training: security and privacy training for all staff with customer data access.

Why SOC 2 matters for virtual data rooms

SOC 2 Type II is the single most common compliance attestation requested during VDR vendor assessments. Four specific workflows depend on it.

Regulated-industry procurement. Banks, healthcare, insurance, and government-adjacent organizations typically require SOC 2 Type II as a baseline before engaging any cloud vendor. Without it, the vendor fails the procurement screen.

Enterprise vendor due diligence. Large enterprises running vendor risk management processes routinely request the SOC 2 Type II report (under NDA) as part of onboarding. This is standard procurement hygiene, not a high bar.

M&A and fundraising data rooms. Institutional LPs and strategic acquirers increasingly ask what compliance attestations their target's VDR vendor holds. SOC 2 Type II is the answer that closes the conversation.

Post-incident liability. In the event of a security incident, having a current SOC 2 Type II report plus an ongoing monitoring program materially reduces liability and regulatory exposure compared to having no attestation.

SOC 2 Type II vs Type I: what's the difference?

A SOC 2 Type I report evaluates whether controls are suitably designed at a single point in time. A SOC 2 Type II report evaluates whether controls are suitably designed and operating effectively over a defined audit period (typically 6-12 months).

Type I is easier to achieve but weaker as an attestation: it confirms the controls exist, not that they work reliably over time. Type II is the industry-standard expectation for mature SaaS vendors handling sensitive customer data. Papermark is audited annually under SOC 2 Type II.

SOC 2 vs ISO 27001 vs GDPR vs HIPAA

Compliance frameworks are not interchangeable. The table below maps the four most common frameworks for VDR procurement.

Framework	Scope	Audit/Certification	Common in
SOC 2 Type II	AICPA Trust Services Criteria	Annual audit, report under NDA	US-centric, B2B SaaS
ISO 27001	Information security management system	Formal certification by accredited body	EU and global enterprises
GDPR	EU personal data protection	Legal compliance, DPA, sub-processor list	Any processing of EU resident data
HIPAA	US healthcare PHI	BAA, compliance program (no formal cert)	Healthcare, biotech, medical devices

Many enterprise customers request multiple frameworks. Papermark maintains SOC 2 Type II and GDPR alignment as standard, supports ISO 27001 via self-hosted deployment on customer infrastructure, and offers HIPAA readiness via self-hosted plus signed BAA on enterprise contracts.

See SOC 2 controls in the product

Append-only audit logging captures every view and download for the SOC 2 Confidentiality criterion:

Dynamic per-session watermarking marks every page with viewer email, IP, and timestamp:

For the live list of certifications, hosting regions, encryption standards, and the SOC 2 NDA request workflow, visit the Papermark security page.

How to obtain Papermark's SOC 2 Type II report

Papermark's SOC 2 Type II report is available to enterprise customers and prospects under mutual NDA. To request the report:

1. Contact your Papermark account representative or email security@papermark.com.
2. Complete an NDA (standard mutual NDA or customer-provided form accepted).
3. Receive the SOC 2 Type II report covering the current audit period.

The report includes the independent auditor's opinion, description of the system and its controls, results of tests of operating effectiveness, and management's assertion.

Papermark compliance posture

Framework	Papermark status
SOC 2 Type II	✔️ Audited annually
GDPR	✔️ Compliant, DPA available
ISO 27001	Via self-hosted deployment on customer infrastructure
HIPAA	Via self-hosted + signed BAA (enterprise plan)
CCPA	✔️ Compliant
FDA 21 CFR Part 11	Via self-hosted deployment with audit log export
Encryption at rest	AES-256
Encryption in transit	TLS 1.3
MFA	✔️
Self-hosted option	✔️ (AGPL open-source)

FAQ

Related resources

• Papermark GDPR compliance
• What is a virtual data room?
• 15 virtual data room features that matter
• Due diligence data room complete guide
• Best virtual data rooms in 2026
• Virtual data room for biotech (HIPAA)
• Papermark security page