Availability

Availability is one of the five Trust Services Criteria in the SOC 2 framework. It evaluates whether a service organization's systems are accessible and operational as committed or agreed with customers, typically through service level agreements. Availability controls cover capacity planning, system monitoring and alerting, environmental safeguards in data centers, backup and recovery procedures, and incident response for outages. The criterion is most relevant for SaaS products with explicit uptime SLAs, infrastructure providers, and platforms where downtime directly damages customer operations. Companies that select Availability in their SOC 2 scope must demonstrate they monitor system performance, plan for capacity growth, maintain disaster recovery capabilities, and respond to availability incidents on documented timelines. Auditors test these controls by reviewing monitoring dashboards, examining incident tickets, and verifying disaster recovery exercises occurred. Availability is optional in SOC 2 but commonly included alongside the required Security criterion when customer contracts reference uptime commitments.