A Simple Explanation of SOC 2 and SOC 3

February 25, 2023

If you visit our Security page at, you will see

“The security controls for the Movius platform annually undergo SOC 2 Type 2 examination against AICPA defined standards.”

If you’re outside of IT and Compliance, you might not know what that means. However, it isn’t hard to learn and can give you an idea of what we mean when we proclaim that our business at Movius is in providing secure communications.

What are SOC Reports?

SOC stands for Service Organization Control. It consists of a set of standards developed by the American Institute of Certified Public Accountants (AICPA). SOC reports are conducted by independent auditors. They evaluate based on 5 Trust Services Criteria and 9 Common Criteria.

What are controls?

In IT, a control is a measure or mechanism put in place to manage, reduce, or eliminate a specific risk or threat. Controls can be technical, administrative, or physical in nature.

About SOC 2 Type 1 and Type 2 Reports

There are two types of SOC 2 reports, Type 1 and Type 2.

Type 1 reports analyze the design of the controls in place. Type 2 reports analyze the effectiveness of the controls over a period of time (usually 6-12 months).

Basically, Type 2 reports are a more comprehensive evaluation of the controls than Type 1 reports because they observe the system over time.

What are the 5 Trust Services Criteria (TSC)

The five TSC are a set of criteria that form the basis of SOC 2 and SOC 3 audits. They are:

  1. Security – How is the system protected against vulnerabilities and attacks?
  2. Availability – How does the organization decide when to make information available?
  3. Processing integrity – Is the service processing accurate, timely, and complete; and is it meeting objectives?
  4. Confidentiality – When sharing information, how does the organization ensure it is secure?
  5. Privacy – How does the organization safeguard personal information?
SOC 2 Trust Service Principles include Security, Availability, Processing Integrity, Confidentiality and Privacy
Image by Compliance Point

What are the Common Criteria?

The SOC 2 Common Criteria list, also known as the CC-series, are a set of 9 internationally recognized standards used to evaluate the security features and capabilities of Information Technology (IT) systems.

CC1 Control environment Controls are in place that ensure integrity and security of the system.
CC2 Communication and Information Organization communicates controls well to both internal and external partners.
CC3 Risk Assessment Controls identify risk and analyzes changes that impact that risk.
CC4 Monitoring Controls Controls allow for monitoring of the system
CC5 Control Activities Controls allow for analyzing the effectiveness of the system
CC6 Logical and Physical Access Controls Controls include data encryption, access control, and preventing unauthorized physical access to servers.
CC7 System Operations Controls include system monitoring, incident response, and disaster recovery plans in place.
CC8 Change Management Controls are in place that minimize any negative impact of changes; changes are tested, well documented, and reviewed.
CC9 Risk Mitigation Controls account for and reduce negative impacts from risks.


About the SOC 3 Report

SOC 3 reports are based on the same criteria as SOC 2 reports. However, SOC 3 reports are more general in nature and do not include as much detailed information as SOC 2 reports. SOC 3 reports are intended for public consumption, meaning they can be shared with anyone, including customers, partners, and the public.

So essentially, SOC 2 Type 2 certification means that an external auditor agrees that we have implemented controls according to the industry standard and that we measure up against all the criteria and principles discussed above. The Movius SOC 3 Report is available on request.

I hope this helped those who are not in IT understand a little more what makes the Movius communications platform secure. The ability to connect with customers and employees in a secure and effective way is critical for any company’s success. That’s why we are passionate about providing trusted communications.


Melanie Allen, Product Marketing Content Writer

Bill Pettit, Head of SaaS and Customer Operations


Subscribe for the Latest Posts

Ready to Learn More?