Service Organization

A service organization in the SOC 2 context is any company that operates systems on behalf of its customers and therefore must demonstrate appropriate controls over those systems. The term comes directly from the AICPA standard and applies broadly: SaaS platforms, infrastructure providers, payment processors, managed service providers, and data centers all qualify. The service organization is the entity that engages a CPA firm to perform a SOC 2 audit and that issues the resulting attestation report to its customers, called user entities. Subservice organizations are third parties the service organization itself relies on, such as cloud providers; their controls can be incorporated into the report through the carve-out method (excluded from scope with disclosure) or the inclusive method (audited as part of the engagement). Understanding the service organization concept is foundational for correctly scoping a SOC 2 audit and for reading other companies' reports during vendor due diligence.